What is Rate limiting in Laravel?

Laravelframework~5 mins

Rate limiting in Laravel

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Perf

Introduction

Rate limiting helps control how many times a user or system can make requests in a short time. It stops overload and keeps apps running smoothly.

To stop users from sending too many requests and slowing down your app.

To protect login pages from too many attempts and possible hacking.

To limit API calls so your service stays fast and fair for everyone.

To avoid extra costs from too many requests to third-party services.

To keep your server safe during traffic spikes or attacks.

Syntax

Laravel

use Illuminate\Support\Facades\RateLimiter;
use Illuminate\Cache\RateLimiting\Limit;

RateLimiter::for('key', function (\Illuminate\Http\Request $request) {
    return Limit::perMinute(10);
});

Use RateLimiter::for to define limits by a key name.

Limit::perMinute(10) means max 10 requests per minute.

Examples

Limits login attempts to 5 per minute per IP address.

Laravel

use Illuminate\Http\Request;
use Illuminate\Cache\RateLimiting\Limit;

RateLimiter::for('login', function (Request $request) {
    return Limit::perMinute(5)->by($request->ip());
});

Limits API calls to 60 per minute per user ID or IP if not logged in.

Laravel

use Illuminate\Http\Request;
use Illuminate\Cache\RateLimiting\Limit;

RateLimiter::for('api', function (Request $request) {
    return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
});

Sets a global limit of 100 requests per minute without user distinction.

Laravel

use Illuminate\Cache\RateLimiting\Limit;

RateLimiter::for('global', function () {
    return Limit::perMinute(100);
});

Sample Program

This example sets a rate limit of 5 login attempts per minute per IP address. If a user tries more, Laravel will block extra requests automatically.

The route uses the throttle:login middleware to apply the limit.

Laravel

<?php

namespace App\Providers;

use Illuminate\Support\Facades\RateLimiter;
use Illuminate\Foundation\Support\Providers\RouteServiceProvider as ServiceProvider;
use Illuminate\Http\Request;
use Illuminate\Cache\RateLimiting\Limit;

class RouteServiceProvider extends ServiceProvider
{
    public function boot()
    {
        RateLimiter::for('login', function (Request $request) {
            return Limit::perMinute(5)->by($request->ip());
        });
    }
}

// In routes/web.php

use Illuminate\Support\Facades\Route;

Route::middleware(['throttle:login'])->group(function () {
    Route::post('/login', function () {
        return 'Login attempt accepted';
    });
});

OutputSuccess

Important Notes

Laravel automatically sends a 429 status code if the limit is exceeded.

You can customize the response by handling exceptions or using custom middleware.

Use meaningful keys for limits to organize different rate rules.

Summary

Rate limiting controls how often users can make requests to keep apps stable.

Laravel uses RateLimiter::for to define limits by keys.

Apply limits with middleware like throttle:key on routes.