How to implement Rate Limiting in Laravel

 Limiting the number of requests per minute sent to an application is often necessary to protect against attacks trying to saturate your server or to brute force authentication forms. That’s why Laravel comes with a rate limiting mechanism, which we will learn to use here.

There are two ways to implement rate limiting with Laravel:

1. Using the Rate Limiter Middleware: to rate limiting incoming HTTP requests before reaching the controller
2. Using the Rate Limiting abstraction: to interact more finely with the rate limiter at the controller level

Get started

The throttle middleware is made to protect routes against excessive reception of too many HTTP requests and restricting them once a limit has been reached.

To get started, you should start by defining the rate limiter configurations that your application needs. For that, go to the App\Providers\RouteServiceProvider class in the definition of the configureRateLimiting() method.

<?php
	namespace App\Providers;
	use Illuminate\Cache\RateLimiting\Limit;
	use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
	use Illuminate\Support\Facades\RateLimiter;
	class RouteServiceProvider extends ServiceProvider
	{
	// ...
	public function boot(): void
	{
	$this->configureRateLimiting();
	// ...
	}
	/**
	* Configure the rate limiters for the application.
	*/
	protected function configureRateLimiting(): void
	{
	RateLimiter::for('global', function (Request $request) {
	return Limit::perMinute(1000);
	});
	}
	} In the above example, we have defined a rate limiter called global which limits access to the routes associated with it to 1000 requests per minute. You can create as many configurations as you want, with the names you want. We could for example imagine having global, downloads, chat to customise the limit depending on the routes. Once you defined your rate limiters, you can apply them to routes you want to rate limite using the throttle middleware, as follows: <?php Route::middleware(['throttle:global'])->group(function () { Route::get('/products', [ProductController::class, 'index']); Route::get('/products/{product}', [ProductController::class, 'show']); Route::post('/products', [ProductController::class, 'store']); }); Route::middleware(['throttle:downloads'])->group(function () { Route::get('/reports/{report}/download', [ReportController::class, 'download']); Route::get('/albums/{album}/download', [AlbumController::class, 'download']); }); Therefore, each user will only be able to access the associated routes 10 times per minute before being restricted. What if we want to apply the rate limit to routes that don’t necessarily require authentication? Indeed, $request->user() could be null so it’s a good idea to use the IP address as well. <?php RateLimiter::for('global', function (Request $request) { return $request->user() ? Limit::perMinute(100)->by($request->user()->id) : Limit::perMinute(20)->by($request->ip()); }); \ Authenticated users can now send 100 requests per minute while unauthenticated users can only send 20 requests per minute (their rate is associated with their IP address).