Rate Limiting

Rate limiting controls how many requests a user or IP address can make to an API or web application within a given time window, protecting against brute-force attacks, credential stuffing, scraping, and denial-of-service. It is commonly implemented at the API gateway, WAF, or application layer using sliding window or token bucket algorithms. Returning HTTP 429 (Too Many Requests) with a Retry-After header is the standard response. Rate limiting is a PCI-DSS and SOC 2 control for authentication endpoints.

Why it matters for your website

• 1Can result in traffic interception, phishing attacks using your domain, or service disruption
• 2Often discovered and exploited before organizations notice
• 3Preventable with proper monitoring and defensive DNS configuration