When you're building modern web applications, keeping your system secure and performing well should be your top priority. One of Laravel's standout features that helps achieve both goals is Rate Limiting. This powerful tool lets you control exactly how many requests users can make to your application within specific time periods.
What is Rate Limiting?
Rate Limiting (also called Rate Limiter) is a mechanism that controls the number of HTTP requests a user or IP address can make to specific endpoints within a certain timeframe. The main goals are preventing resource abuse, protecting your application from cyber attacks like brute-force attempts, and keeping your server performance optimal.
Laravel 12 takes Rate Limiting to the next level with enhanced flexibility, including support for per-second request limits - not just the per-minute restrictions from previous versions.
How Rate Limiting Works Behind the Scenes
Laravel 12 provides a built-in middleware called throttle that makes implementing Rate Limiting incredibly straightforward. This middleware lets you define request limits and time periods with a simple, clean approach. Here's how rate limiting operates in Laravel:
Laravel can apply Rate Limiting based on IP addresses, user IDs, or custom combinations. You set the maximum number of allowed requests within a specific time window - for example, 60 requests per minute. Laravel uses your application's cache system to track request counts and expiration times. When users exceed the request limit, Laravel automatically returns an HTTP 429 (Too Many Requests) response.
Implementing Rate Limiting in Laravel 12
Here's how to get Rate Limiting working in Laravel 12:
- Throttle Middleware
The simplest approach is using the throttle middleware directly on your routes.
Route::post('/login-process', [LoginController::class, 'process'])->middleware('throttle:10,1');
// group route
Route::middleware('throttle:10,1')->group(function () {
// Routes
});
This code limits HTTP requests for login to 10 requests per minute.
- Custom Rate Limiter
When you need more customization for your Rate Limiter, you can create custom configurations through /bootstrap/app.php or AppServiceProvider.php in the boot method.
bootstrap/app.php
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__.'/../routes/web.php',
api: __DIR__.'/../routes/api.php',
apiPrefix: '/api', // set prefix api routes
then: function () {
RateLimiter::for('api', function (Request $request) {
return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
});
}
)
->create();
AppServiceProvider.php
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\RateLimiter;
public function boot(): void
{
RateLimiter::for('api', function (Request $request) {
return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
});
}
Then define it in your route middleware.
use Illuminate\Support\Facades\Route;
Route::middleware('throttle:api')->group(function () {
// Routes
});
All routes starting with /api will be limited to 60 requests per minute based on user ID or IP address.
- Custom Error Messages
When users exceed request limits, they'll get a 429 Too Many Requests response. You can customize this error message in /bootstrap/app.php.
use Illuminate\RateLimiting\TooManyRequestsException;
return Application::configure(basePath: dirname(__DIR__))
->withRouting(
web: __DIR__.'/../routes/web.php',
api: __DIR__.'/../routes/api.php',
apiPrefix: '/api', // set prefix api routes
then: function () {
RateLimiter::for('api', function (Request $request) {
return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
});
}
)
->withMiddleware()
->withExceptions(function (Exceptions $exceptions) {
$exceptions->render(function (TooManyRequestsException $e) {
return response()->json([
'message' => 'Rate limit reached. Please wait a moment before trying again.'
], 429);
});
})
->create();
Best Practices for Rate Limiting
To make your Rate Limiting implementation effective, follow these essential tips :
Set appropriate request limits based on endpoint types. For instance, login endpoints might need stricter limits (like 10 requests per minute) compared to public API endpoints. Use Redis for better scalability - Redis is perfect for storing rate limiting data because of its speed and efficiency.
Make sure your error messages are clear and user-friendly, so people know when they can try again. Use monitoring tools like Laravel Telescope or server logs to watch request patterns and adjust your rate limiting configuration as needed.
Related Laravel Telescope Article You can learn more about monitoring your applications with Laravel Telescope:
Laravel Telescope: Monitor, Debug, And Improve Your Laravel APP with Easily.
Wrapping Up
Rate Limiting in Laravel 12 is an incredibly powerful feature for maintaining security and performance in your applications. With the throttle middleware and RateLimiter API, you can easily configure request limits to match your needs - from simple restrictions to complex custom configurations. This feature isn't just easy to implement; it also makes a huge difference in protecting your applications from cyber attacks and ensuring users have an optimal experience.
The enhanced capabilities in Laravel 12, including per-second limiting and improved flexibility, give you the tools to build robust, secure applications that can handle real-world traffic patterns while staying protected from abuse.
Thanks for reading!
