I need to rate limiting for my REST API. Currently I just need rate limit based on the URL prefix, e.g. url with tps/xxx will need a rate limit for 10 times in 1 minute. I may need to add more rules later.
I see laravel document explain RateLimiter
but I also see it mentions ThrottleRequests
middleware. After further checking the source codes I see ThrottleRequests Constructor injection RateLimiter
/**
* Create a new request throttler.
*
* @param IlluminateCacheRateLimiter $limiter
* @return void
*/
public function __construct(RateLimiter $limiter)
{
$this->limiter = $limiter;
}
But it is still unclear to me these two classes’s use case and when to use which ?
For my use case based on url prefix, which one should I use ?
2
Answers
When working with Laravel, understanding the difference between throttle,
RateLimiter
, andThrottleRequests
is crucial for effective rate limiting in your application.Throttle:
The throttle middleware is a general-purpose middleware that you can use to throttle various aspects of your application.
It allows you to set the maximum number of requests that can be made in a given time period.
You can use it in your routes or controllers to limit the rate at which users can access certain resources.
In this example, it allows 60 requests per minute.
RateLimiter:
Rate limiting is critical for protecting app or website resources from excessive or improper use. Whether a result of malicious human intervention, bot-based attacks, or an overlooked vulnerability, resource misuse can interfere with legitimate access to your application and introduce severe vulnerabilities.
Laravel’s
RateLimiter
is a more low-level tool that allows you to manage rate limiting programmatically.It provides a set of methods to manage and check the rate limits.
Example:
This allows you to have fine-grained control over rate limiting logic.
ThrottleRequests:
ThrottleRequests is a trait that you can use in your controllers to apply rate limiting on specific controller actions.
It provides an easy way to apply rate limiting to specific methods within your controllers.
This is useful when you want to apply rate limiting only to specific actions.
Use the throttle middleware when you want a quick and easy way to apply rate limiting to your routes.
Use
RateLimiter
when you need more control over rate limiting and want to manage it programmatically.Use
ThrottleRequests
when you want to apply rate limiting specifically to certain methods within your controllers.RateLimiter:
RateLimiter is used for complex scenarios that requires custom logics for calculating limits and handling responses. Like if you need to limit new users 10 requests per day while regular users 50 requests per day. You can even limit based on suspicious activity like too many downloads in short time. You can do all the stuff with complex custom rules or you can create your own custom logics using RateLimiter. It’s flexible, but takes time and effort.
ThrottleRequests:
Throttle is easier to use with pre-built middleware and route annotations for common rate limiting scenarios. For url limits, you should use throttle. It handles basic website traffic flow quickly and simply.