How to setup rate limit for /api/

Local_App · April 14, 2021, 1:27pm

hi there, how to setup properly rate limit for /api/ i.e /api/posts/
I want to limit that POST method limited by IP 1 every 10 Second
Prevent Double Post/Spam

Gayrat · April 15, 2021, 6:01am

I think you can use strapi policies.
Each model has policies.
Policies are middleware - for example, you can check if a user is authorized.

P.S. If you deploy to VPS and use nginx as a reverse proxy - you can find this functionality in nginx

P.P.S you can see this beatufil strapi course :

Local_App · April 15, 2021, 11:51am

hi there thank you for recommended this, I have bought and learning strapi more, because I am launch strapi for my startup and this is my first project using strapi to my mobile apps (android/ios)
seems strapi good for production if I know more about strapi, thank you for recommended this course

sunnyson · April 15, 2021, 12:22pm

To do so, take a look at the rateLimit policy that is provided by users-permissions plugin.

You can add it to your routes like this (config/routes.json):

{
  "routes": [
    {
      "method": "GET",
      "path": "/test-route",
      "handler": "test.index",
      "config": {
        "policies": ["plugins::users-permissions.ratelimit"]
      }
    }
  ]
}

By default, it allows you to limit an IP to max 5 requests per minute. To change these limits you should create your custom policy, copy the content from the rateLimit.js file and modify the values from interval and max variables, then attach that policy to your route.

Note: It uses koa2-ratelimit under the hood, so you can take a look at their documentation for extra configs(like whitelisting your IP). Also, it stores the ips in memory, so if you restart your node app then the limits will be refreshed, to solve this you could store IPs in a persistent memory like Redis/Mongo.

DMehaffy · April 15, 2021, 9:19pm

Custom policy might be better if you plan on scaling too as you can have the policy dump the rate-limit information into Koa.

Our rate-limit policy is very very basic and stores that info in the node memory so if the server restarts that rate-limit log is lost.

Local_App · April 16, 2021, 1:47am

hi there, how to integrate strapi with redis?
I am using mongodb as main database now

Local_App · April 16, 2021, 1:48am

yes I am using custom policy now since default rate limit in strapi is 5 request perminutes

tdammy · March 25, 2022, 8:35am

Pls i need help here, i get this error on all my auth routes after returning status code of 500.
I tried adjusting the rateLimit manually but no difference. am new to strapi.

dhb · June 23, 2022, 5:21am

The rate limit policy has now been changed to a middleware.

The ratelimit.js can now be found here:

github.com

strapi/strapi/blob/master/packages/plugins/users-permissions/server/middlewares/rateLimit.js

'use strict';

module.exports = (config, { strapi }) => async (ctx, next) => {
  const ratelimit = require('koa2-ratelimit').RateLimit;

  const message = [
    {
      messages: [
        {
          id: 'Auth.form.error.ratelimit',
          message: 'Too many attempts, please try again in a minute.',
        },
      ],
    },
  ];

  return ratelimit.middleware(
    Object.assign(
      {},
      {

This file has been truncated. show original

See the example of ratelimit middleware usage from a plugin extension below:

    plugin.routes['content-api'].routes.push({
        method: 'GET',
        path: '/auth/passwordless',
        handler: 'auth.passwordless',
        config: {
            // policies: ['plugins::users-permissions.ratelimit'], (deprecated) 
            middlewares: ['plugin::users-permissions.rateLimit'],
            prefix: '',
        },
    })

user22 · September 23, 2022, 9:46am

where to place the ratelimit.js file and plugin one?

Sorrow · November 19, 2022, 9:13pm

I take the liberty of upping this post. I have a public endpoint to drop a message. I would also like to limit the call to this endpoint to 1 time every 5 minutes.

Do you have an example for rate limiting public POST on /api/reviews ?