Rate limit route requests in Laravel

August 26, 2019 · Laravel

As backend developers, to make our web application full proof we need to make sure our application is running as efficiently as possible all the time. Otherwise, everyone using your database will suffer from slow performance. API limiting, which is also known as rate limiting, is an essential component of Internet security, as DoS attacks can tank a server with unlimited API requests.

You may like this if you’re using Laravel 8 ➔ New RateLimiter facade for defining named rate limiters in Laravel 8

Thankfully, Laravel gets you covered in this aspect. In Laravel, you can achieve rate-limiting using a middleware called throttle which comes out of the box in Laravel. You need to assign this throttle middleware to the route or group of routes.

The middleware basically accepts two parameters, specifically “number of requests” and “duration of time”, which determines the maximum number of requests that can be made in a given number of minutes.

• Basic example
• Rate limit on route groups
• Dynamic Rate Limiting

Basic example

You can assign a throttle middleware to a single route like below

Route::get('admin/profile', function () {
    //
})->middleware('auth', 'throttle:30,1');

As you can see, the above route configuration will allow an authenticated user access route 30 times per minute. If user exceed this limit within the specified time span, Laravel will return a 429 Too Many Requests with following response headers.

x-ratelimit-limit: 2
x-ratelimit-remaining: 0
x-ratelimit-reset: 1566834663

Rate limit on route groups

Similarly, you can apply rate limit on a route group like below.

Route::middleware('auth:api', 'throttle:60,1')->group(function () {
    Route::get('/user', function () {
        //
    });
});

Dynamic Rate Limiting

In order to make the “number of requests” dynamic based on the model attribute. This is how you can do so.

Route::middleware('auth:api', 'throttle:rate_limit,1')->group(function () {
    Route::get('/user', function () {
        //
    });
});

Here rate_limit is an attribute of a User model which can be used to calculate the maximum request count for the mentioned route group.

Previous: Reasons to use Composition over Inheritance in PHP Next: Process model records in chunks in Laravel

Learn the fundamentals of PHP 8 (including 8.1, 8.2, and 8.3), the latest version of PHP, and how to use it today with my new book PHP 8 in a Nutshell. It's a no-fluff and easy-to-digest guide to the latest features and nitty-gritty details of PHP 8. So, if you're looking for a quick and easy way to PHP 8, this is the book for you.

Grab your copy now! Read a sample

» Share: Twitter, Facebook, Hacker News

Like this article?

Buy me a coffee

👋 Hi there! I'm Amit. I write articles about all things web development. You can become a sponsor on my blog to help me continue my writing journey and get your brand in front of thousands of eyes.

Become a Sponsor Join my newsletter

Comments?

More on similar topics

Browse articles by category

Dynamically build Mail, DB, and Cache configurations in Laravel

Running multiple commands at once in a terminal using this Laravel Package

Prohibit running destructive DB commands in Laravel

A growing list of well built open-source apps in Laravel