Skip to main content

Rate Limiting

Rate limiting rules control how many requests a client or IP address can send to your application within a specific time window. This helps protect against abuse—such as brute-force attempts, credential stuffing, or denial-of-service attacks—by automatically throttling or blocking traffic that exceeds the allowed threshold. It ensures fair usage, reduces load on your application, and enhances overall security.

You can configure multiple custom rules in your service. Each rule is defined by:

  • A condition to match requests against
  • A request limit for matching traffic
  • An action to take when the limit has been reached, along with the duration for that action

Example

Limit each IP address to 100 requests per minute to the /login endpoint.
If a client exceeds this threshold, block further requests from that IP for 10 minutes.

Adding a Rate Limiting Rule

To add a rate limiting rule to your service:

  1. Navigate to your service.
  2. In the sidebar, select Security, then select Rate Limiting.
  3. Click the Create button.
  4. Fill out the new rate limiting rule form:
    • Rule Name – Enter the name of the new rule.
    • Condition – Define the condition that determines which requests the rule applies to. You can create complex rules with OR and AND operators.
    • Counter – Enter the maximum number of requests allowed during the specified time window.
    • Action – Select the action to take when requests hit the limit, and specify the duration for this action.
  5. Click Save.

Updating & Deleting a Rate Limiting Rule

To modify or delete a rate limiting rule in your service:

  1. Navigate to your service.
  2. In the sidebar, select Security, then select Rate Limiting.
  3. Find the rule you want to update or delete, then click the Edit icon to modify it, or the Delete icon to remove it.