Client-based rate limiting
Rate limiting is a strategy to control the number of messages (e.g. HTTP requests) that a client can send to a server in a given time period. For example, you could specify that a client can send up to 100 messages per minute.
Application layer reverse proxies often support this based solely on the client’s IP address. We recommend combining that IP address-based rate limiting with one based on the client identifier (e.g. email address, username), for the following reasons:
- Multiple users could share the same IP address.
- Malicious users could use residential proxies to switch IP addresses easily.
Many API gateways support this kind of rate limiting out-of-the-box and can enforce it after authentication,
but it can also be implemented in the application itself
by integrating third party libraries
(e.g. rate-limiter-flexible in Node.js).