Skip to main content
RESTful Principles
CHAPTER 25 Beginner

Rate Limiting and Throttling

Updated: May 13, 2026
5 min read

# CHAPTER 25

Rate Limiting and Throttling

1. Introduction

Even if your API is perfectly secure against hackers, it can still be brought down by abuse. If a script (or a malicious bot) sends 10,000 requests per second to your /login endpoint, your database will crash, taking your entire application offline. To prevent this, APIs use Rate Limiting. In Chapter 25, we will explore how to restrict the number of requests a user can make, how to implement basic throttling, and how to communicate these limits via HTTP headers.

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Explain the concepts of Rate Limiting and Throttling.
  • Understand why rate limiting is critical for API stability and cost control.
  • Implement a basic IP-based rate limiter using PHP and file/database storage.
  • Return the 429 Too Many Requests status code.
  • Provide standard X-RateLimit headers to the client.

3. Beginner-Friendly Explanation

Imagine an all-you-can-eat buffet. You are allowed to eat as much as you want, but the rules state you can only take *two slices of pizza every 5 minutes*. If you go back for a third slice after only 2 minutes, the chef says, "Hold on, you are eating too fast. Come back in 3 minutes."

Rate Limiting is the chef. It counts how many requests you make in a specific time window. If you exceed the limit, it temporarily blocks you (Throttling) until the time window resets. This ensures there is enough pizza (server CPU/bandwidth) for everyone else.

4. Real-World Examples

  • GitHub API: GitHub allows unauthenticated users 60 requests per hour. Authenticated users get 5,000 requests per hour. If you exceed this, the API stops returning data and returns an error.
  • Login Brute Force Protection: To stop hackers from guessing passwords, APIs often limit the POST /login endpoint to 5 attempts per 15 minutes per IP address.

5. Detailed Code Examples

In a massive production environment, rate limiting is handled by Redis or API Gateways (like AWS API Gateway). But for learning, here is a simplified concept using PHP Sessions (or a DB) tracking IPs.
php
1234567891011121314151617181920212223242526272829303132333435363738394041 
<?php
// Simple Rate Limiting Concept
session_start();

$limit = 60; // Max 60 requests
$window = 60; // Per 60 seconds

// Initialize session variables if they don't exist
if (!isset($_SESSION[&#039;requests'])) {
    $_SESSION[&#039;requests'] = 0;
    $_SESSION[&#039;first_request_time'] = time();
}

$timePassed = time() - $_SESSION[&#039;first_request_time'];

// Reset the window if 60 seconds have passed
if ($timePassed > $window) {
    $_SESSION[&#039;requests'] = 0;
    $_SESSION[&#039;first_request_time'] = time();
}

$_SESSION[&#039;requests']++;

// Calculate remaining
$remaining = $limit - $_SESSION[&#039;requests'];

// Set standard Headers
header("X-RateLimit-Limit: " . $limit);
header("X-RateLimit-Remaining: " . max(0, $remaining));

// Check if limit exceeded
if ($_SESSION[&#039;requests'] > $limit) {
    header("Retry-After: " . ($window - $timePassed));
    http_response_code(429); // 429 Too Many Requests
    echo json_encode(["error" => "Rate limit exceeded. Please try again later."]);
    exit;
}

// Proceed with API logic
echo json_encode(["message" => "API Request Successful"]);
?>

*(Note: In a true stateless REST API, you would use Redis and the user's IP Address or API Token as the key, rather than $_SESSION)*

6. Request/Response Examples

When a client hits the rate limit, the API gracefully rejects the request.

Request #61:

http
12 
GET /api/data HTTP/1.1
Host: api.example.com

Response:

http
12345678910 
HTTP/1.1 429 Too Many Requests
X-RateLimit-Limit: 60
X-RateLimit-Remaining: 0
Retry-After: 14
Content-Type: application/json

{
  "error": "You have exceeded your request limit.",
  "retry_in_seconds": 14
}

7. HTTP Examples

The standard HTTP headers associated with rate limiting are:
  • X-RateLimit-Limit: The total number of requests allowed in the window.
  • X-RateLimit-Remaining: How many requests you have left.
  • X-RateLimit-Reset: The Unix timestamp of when the limits will reset to the maximum.
  • Retry-After: Used specifically with a 429 error, telling the client exactly how many seconds to wait before trying again.

8. JSON Examples

Often, public APIs will include your current usage in the JSON response metadata, particularly for premium/paid APIs where requests cost money.
json
123456789 
{
  "meta": {
    "credits_used": 150,
    "credits_remaining": 850
  },
  "data": {
    "result": "Success"
  }
}

9. Best Practices

  • Use Redis: Do not use MySQL to count API requests. Writing to MySQL on every single API call is too slow. Redis is an in-memory datastore designed exactly for high-speed counting and expiration.
  • Tiered Limits: Apply different limits based on authentication. Unauthenticated IPs get 10 requests/min. Standard users get 100/min. Premium paying users get 1000/min.
  • Fail Gracefully: Ensure frontend apps look for 429 status codes and display a polite message to the user ("Please wait a moment...") rather than crashing.

10. Common Mistakes

  • Relying only on IP Addresses: If you only limit by IP, an entire office building (which shares a single public IP via NAT) might hit your limit instantly, blocking hundreds of legitimate users. Rate limit by *User Token* or *API Key* whenever possible, falling back to IP only for unauthenticated routes.

11. Mini Exercises

  1. 1. Look at the Retry-After header. If an API returns Retry-After: 30, what should the frontend JavaScript application do?
*(Answer: It should pause API calls and wait 30 seconds before attempting the next request).*

12. Coding Challenges

Challenge 1: Write the PHP logic to return a 429 Too Many Requests status code and a JSON error message indicating that the API limit has been reached.

13. MCQs with Answers

Question 1

What is the standard HTTP status code for "Rate Limit Exceeded"?

Question 2

Which HTTP header tells the client how many requests they have left in their current time window?

Question 3

Why is Redis preferred over MySQL for rate limiting?

14. Interview Questions

  • Q: Why is Rate Limiting essential for a public API? Name two specific types of attacks it mitigates.
  • Q: Explain the difference between rate limiting by IP Address versus rate limiting by API Key, and the pros/cons of each.
  • Q: What headers should a well-designed API include in every response to help clients manage their request rates?

15. FAQs

Q: Does rate limiting stop DDoS attacks? A: It helps, but massive Distributed Denial of Service (DDoS) attacks will overwhelm your server before your PHP script even gets a chance to run. True DDoS protection must happen at the network level using services like Cloudflare or AWS Shield.

16. Summary

In Chapter 25, we learned how to protect our servers from abuse and overload by implementing Rate Limiting. We explored how to count requests over a time window, the standard 429 Too Many Requests status code, and the crucial X-RateLimit HTTP headers. Proper throttling ensures your API remains stable, fast, and fair for all users.

17. Next Chapter Recommendation

Your API is now built, secured, and rate-limited. But how do frontend developers know how to use it? You need documentation. Proceed to Chapter 26: API Documentation with Swagger/OpenAPI to learn the industry standard for documenting REST endpoints.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter REST API Security Best Practices
Next Chapter API Documentation with Swagger/OpenAPI

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5