API Rate Limiting Security FAQ & Answers

API rate limiting strategies (OWASP API4:2023 - Unrestricted Resource Consumption): (1) Per-user limits - track by user ID for authenticated requests (100 req/min per user prevents single user abuse), (2) Per-IP limits - track by IP address for anonymous requests (20 req/min per IP, watch for distributed attacks from botnets), (3) Per-API-key limits - track by API key for third-party integrations (1000 req/hour per key), (4) Endpoint-specific limits - /login: 5 attempts/15 min (strict, prevents brute force), /api/data: 100 req/min (lenient, normal usage), /search: 20 req/min (moderate, resource-intensive). Prevents brute force, DoS, credential stuffing, resource exhaustion. Essential for authentication endpoints, public APIs, resource-intensive operations.

HTTP 429 Too Many Requests response format: Headers: X-RateLimit-Limit: 100 (total requests allowed in window), X-RateLimit-Remaining: 45 (requests left before limit), X-RateLimit-Reset: 1704974400 (Unix timestamp when limit resets), Retry-After: 60 (seconds until retry allowed, RFC 9110 standard). Body: {"error": "rate_limit_exceeded", "message": "Too many requests, retry after 60 seconds", "retry_after": 60}. Critical: include Retry-After header (required by HTTP spec) so clients know exactly when to retry. X-RateLimit-* headers follow de facto standard (used by GitHub, Stripe, Twitter APIs). Clients should respect 429 and implement exponential backoff, not immediately retry.

Rate limiting algorithms (2025): (1) Token Bucket (most common) - bucket holds tokens (capacity = limit), each request consumes 1 token, refills at constant rate (10 tokens/sec), allows bursts up to capacity. Implementation: Redis INCR + EXPIRE, libraries: express-rate-limit, Flask-Limiter. (2) Leaky Bucket - requests enter queue, processed at steady rate, excess dropped, smooths traffic (no bursts allowed). (3) Fixed Window - count requests per time window (00:00-00:59), resets at boundary, vulnerable to burst at window edge (1000 req at 00:59 + 1000 req at 01:00 = 2000 req in 1 minute). (4) Sliding Window Log - track timestamp of each request, count requests in last N seconds, accurate but memory-intensive. (5) Sliding Window Counter - hybrid approach, weighted count from current + previous window, balances accuracy and efficiency. Recommendation: Token Bucket for most APIs (allows bursts, simple implementation), Sliding Window Counter for strict enforcement.

Production rate limiting implementation (2025): Express.js - express-rate-limit with Redis store (distributed rate limiting across instances), Django - django-ratelimit with cache backend, nginx - limit_req_zone directive (zone=mylimit:10m rate=10r/s), Kong API Gateway - rate-limiting plugin (centralized control), AWS API Gateway - throttling settings (burst 5000, steady 10000 req/sec per account), Cloudflare - rate limiting rules (100k req/month free tier, then $0.05/10k requests). Example Express.js: const limiter = rateLimit({windowMs: 15*60*1000, max: 100, standardHeaders: true, legacyHeaders: false, store: new RedisStore({client: redisClient})}); app.use('/api/', limiter);. Critical: use shared storage (Redis, Memcached) for multi-instance deployments, otherwise each instance tracks separately defeating distributed attack prevention.

Advanced rate limiting protections: (1) CAPTCHA integration - trigger reCAPTCHA after 3 failed login attempts within 5 min (human verification before blocking), (2) Distributed attack detection - monitor for coordinated attacks across multiple IPs (>1000 IPs hitting same endpoint indicates botnet, triggers global rate reduction), (3) Adaptive rate limiting - reduce limits during incidents (cut limits 50% during attack), increase for trusted users (verified accounts get 10x higher limits), (4) Tiered limits by authentication - Authenticated: 1000 req/hour, Anonymous: 100 req/hour (incentivizes registration, reduces anonymous abuse). Monitoring: track 429 response rate, identify legitimate users hitting limits (adjust thresholds), usage pattern analysis (detect anomalies). Compliance: PCI-DSS 6.2 (rate limiting for authentication), OWASP API Security Top 10 (API4:2023), CWE-770 (Allocation of Resources Without Limits).