What is Flask-Limiter for rate limiting?

Flaskframework~5 mins

Flask-Limiter for rate limiting

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Flask-Limiter helps you control how many times users can use your web app in a short time. This stops too many requests that can slow down or break your app.

You want to stop users from sending too many requests too fast, like spamming a form.

You want to protect your app from being overloaded by too many visitors at once.

You want to limit API calls so users don't use more than allowed.

You want to prevent abuse or attacks by controlling request speed.

You want to give fair access to all users by limiting request rates.

Syntax

Flask

from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

app = Flask(__name__)

limiter = Limiter(
    app,
    key_func=get_remote_address,
    default_limits=["5 per minute"]
)

@app.route("/some_path")
@limiter.limit("10 per hour")
def some_function():
    return "Hello!"

key_func tells Flask-Limiter how to identify users, usually by IP address.

You can set default_limits for all routes or use @limiter.limit to set limits per route.

Examples

This sets a default limit of 10 requests per minute for all routes, but the /api route has a stricter limit of 3 requests per second.

Flask

limiter = Limiter(app, key_func=get_remote_address, default_limits=["10 per minute"])

@app.route("/api")
@limiter.limit("3 per second")
def api():
    return "API response"

This limits the login page to 5 requests per minute to prevent brute force attacks.

Flask

@app.route("/login")
@limiter.limit("5 per minute")
def login():
    return "Login page"

This example uses a fixed key function (like a user ID) to limit requests based on that key instead of IP.

Flask

limiter = Limiter(app, key_func=lambda: "user123", default_limits=["100 per day"])

@app.route("/dashboard")
def dashboard():
    return "User dashboard"

Sample Program

This Flask app limits all routes to 3 requests per minute by default. The /fast route is stricter and allows only 1 request every 10 seconds per user IP.

Flask

from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

app = Flask(__name__)

limiter = Limiter(
    app,
    key_func=get_remote_address,
    default_limits=["3 per minute"]
)

@app.route("/")
def home():
    return "Welcome to the home page!"

@app.route("/fast")
@limiter.limit("1 per 10 seconds")
def fast():
    return "This route is limited to 1 request every 10 seconds."

if __name__ == "__main__":
    app.run(debug=True)

OutputSuccess

Important Notes

Flask-Limiter returns a 429 error automatically when the limit is exceeded.

You can customize the error message or handle it with Flask error handlers.

Use key_func wisely to identify users correctly (IP, user ID, etc.).

Summary

Flask-Limiter helps protect your app by limiting how often users can make requests.

You can set limits globally or per route using simple decorators.

It uses a key function to identify users, usually by IP address.