API Rate Limiting
Rate limiting protects your API from:
- brute force login attacks
- abusive clients
- accidental traffic spikes
Flask-Limiter
A popular extension is Flask-Limiter.
Install:
pip install Flask-Limiterpip install Flask-LimiterBasic usage (example)
from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
app = Flask(__name__)
limiter = Limiter(
get_remote_address,
app=app,
default_limits=["200 per day", "50 per hour"],
)
@app.get("/api/status")
@limiter.limit("10 per minute")
def status():
return {"status": "ok"}from flask import Flask
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address
app = Flask(__name__)
limiter = Limiter(
get_remote_address,
app=app,
default_limits=["200 per day", "50 per hour"],
)
@app.get("/api/status")
@limiter.limit("10 per minute")
def status():
return {"status": "ok"}Choosing limits
Good limits depend on:
- endpoint type (login should be tighter)
- expected client behavior
- whether the endpoint is expensive (DB-heavy)
Production note
For multi-instance deployments, configure shared storage (Redis) so limits are consistent across instances.
If this helped you, consider buying me a coffee ☕
Buy me a coffeeWas this page helpful?
Let us know how we did