What is Rate limiting for protection in Flask?

Flaskframework~5 mins

Rate limiting for protection in Flask

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Rate limiting helps stop too many requests from one user or computer. It protects your app from being overloaded or attacked.

When you want to stop users from sending too many requests in a short time.

To protect your website from bots or attackers trying to overload it.

When you want to make sure your server stays fast and reliable for everyone.

To limit how often an API can be called by one user or app.

When you want to prevent abuse like spamming or brute force login attempts.

Syntax

Flask

from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

limiter = Limiter(
    app,
    key_func=get_remote_address,
    default_limits=["5 per minute"]
)

@app.route("/some_route")
@limiter.limit("10 per hour")
def some_route():
    return "Hello!"

Use Limiter to set rules for how many requests are allowed.

key_func decides how to identify users, usually by IP address.

Examples

Set a default limit of 100 requests per day for all routes.

Flask

limiter = Limiter(app, key_func=get_remote_address, default_limits=["100 per day"])

Limit the login page to 5 requests per minute to prevent brute force attacks.

Flask

@app.route("/login")
@limiter.limit("5 per minute")
def login():
    return "Login page"

Limit API calls to 20 per hour per user.

Flask

@app.route("/api/data")
@limiter.limit("20 per hour")
def api_data():
    return "API data"

Sample Program

This Flask app has two routes. The home page allows 3 requests per minute by default. The /limited page allows only 2 requests per minute per user IP. If a user sends more requests, they get blocked temporarily.

Flask

from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

app = Flask(__name__)

limiter = Limiter(
    app,
    key_func=get_remote_address,
    default_limits=["3 per minute"]
)

@app.route("/")
def home():
    return "Welcome to the home page!"

@app.route("/limited")
@limiter.limit("2 per minute")
def limited():
    return "This page is rate limited to 2 requests per minute."

if __name__ == "__main__":
    app.run(debug=True)

OutputSuccess

Important Notes

Make sure to install Flask-Limiter with pip install flask-limiter.

Rate limits reset after the time window (like 1 minute) passes.

You can customize the error message or response when limits are exceeded.

Summary

Rate limiting controls how many requests a user can make in a time period.

It helps protect your app from overload and abuse.

Flask-Limiter is an easy way to add rate limiting to Flask apps.