Rate limiting protects APIs against overload, brute force attacks, and abuse. Without it, every endpoint is vulnerable.
Algorithms¶
- Fixed Window: Simple, but burst at window boundaries
- Sliding Window: More precise, higher memory requirements
- Token Bucket: Flexible, allows bursts
- Leaky Bucket: Constant rate
Redis Sliding Window¶
import redis, time r = redis.Redis() def rate_limit(key, limit=100, window=60): now = time.time() pipe = r.pipeline() pipe.zremrangebyscore(key, 0, now - window) pipe.zadd(key, {str(now): now}) pipe.zcard(key) pipe.expire(key, window) _, _, count, _ = pipe.execute() return count <= limit
Express.js¶
const rateLimit = require(‘express-rate-limit’); app.use(‘/api/’, rateLimit({ windowMs: 60 * 1000, max: 100, standardHeaders: true, }));
Key Takeaway¶
Rate limiting on every API. Redis for distributed environments, sliding window for precision.
securityrate limitingapiredis