After this lesson, you will be able to: Implement rate limiting (token bucket, sliding window, fixed window) and communicate limits to clients.
Rate limiting protects your server from abuse + accidental traffic spikes. Production APIs always have it; clients always need to handle it gracefully.
Prevent abuse (scraping, brute force, DoS). Enforce paid tiers (free: 100/hr, pro: 10k/hr). Protect backend services from spikes that would otherwise cascade. Industry standard: every modern public API rate limits.
Fixed window: 'max 60 per minute'. Resets at minute boundary. Simple; burst at boundary risk. Sliding window: counts requests in the last 60 seconds, continuously. Smoother; more memory. Token bucket: refill at N tokens/sec, bucket holds M; spend a token per request. Allows bursts. Leaky bucket: queue of fixed size; process at constant rate. Smooths out bursts.
Standard rate-limit response headers.
// On every responseX-RateLimit-Limit: 60 // your maxX-RateLimit-Remaining: 42 // how many you have leftX-RateLimit-Reset: 1716781200 // unix time when the window resets// IETF standard (newer; RFC 9331)RateLimit-Limit: 60RateLimit-Remaining: 42RateLimit-Reset: 60 // seconds until reset// When client exceeds:HTTP/1.1 429 Too Many RequestsRetry-After: 30 // wait 30 seconds{ "error": "RateLimitExceeded", "message": "Slow down, try again in 30s." }
Production-ready pattern.
// Sorted set per identity + 60-sec windowconst window = 60_000; // msconst max = 60;async function check(ip: string): Promise<{ ok: boolean; remaining: number; resetAt: number }> {const now = Date.now();const key = `ratelimit:${ip}`;const pipeline = redis.multi();pipeline.zremrangebyscore(key, 0, now - window);pipeline.zadd(key, now, `${now}-${Math.random()}`);pipeline.zcard(key);pipeline.expire(key, 60);const [, , count] = await pipeline.exec();const remaining = Math.max(0, max - count);return { ok: count <= max, remaining, resetAt: now + window };}
Per-IP only (multiple users behind NAT get throttled together). No Retry-After header (clients keep hammering). Forgetting to rate-limit auth endpoints (brute-force attacks). Limiting AFTER doing expensive work (defeats the point, limit FIRST).
Sign in and purchase access to unlock this lesson.