Generally how do people rate limit endpoints? Do you use a library or use your own code?
I guess limiting in app might be well suited when the rational is only about “functional” limiting (I mean e.g. because of a pricing tier)…
Otherwise, for performance or security reasons (like preventing DDoS or usage abuse) I wonder if it’s not an infrastructure concern outside of the “application” server?
Although I don’t have any clue which kind of software/tool is common in that area… Maybe load balancers have this option?
PS: My comment is more a way to discover this DevOps topic and follow the discussion…
Sure, you can do this with nginx, Caddy and Traefik and likely others (maybe fail2ban as well?) but I think that’s multi-layered security: your load balancer is more about making sure your traffic is not malicious i.e. directly bombarding you with 1_000 req/sec which should result in an almost immediate ban for the offending IP.
Whereas app-level rate limiter is more like “you are legit but don’t push it”. 
2 Likes
