Rate limiting for routes

System Information
  • Strapi Version:
  • Operating System:
  • Database:
  • Node Version:
  • NPM Version:
  • Yarn Version:

I noticed Strapi admin panel comes with rate limiting for your routes that I can check off to activate. May I know how it works, what’s the cap like, how many requests/min etc?

Is it 5 requests/min per IP address as per this js file?

interval: 1 * 60 * 1000,
max: 5,
prefixKey: `${ctx.request.path}:${ctx.request.ip}`,

Hey @jasonleow,

The auth routes:

  • /connect/*
  • /auth/local
  • /auth/local/register
  • /auth/forgot-password
  • /auth/reset-password

Have the policy plugins::users-permissions.ratelimit (you linked).

Looking at the config of koa2-ratelimit middleware:

  • interval: Time Type - how long should records of requests be kept in memory. Defaults to 60000 (1 minute).
  • max: max number of connections during interval milliseconds before sending a 429 response code. Defaults to 5. Set to 0 to disable.

It indeed is max 5 connections during the interval of 1 * 60 * 1000 = 60 seconds per IP per path.


Just something to note, our default implementation stores the rate limit information in the node memory, so if you scale your backend, the rate limit storage is per instance and is not shared.


Thank you for confirming! So 5 connections per 60s per IP path. Does this rate limit extend to the other non-auth routes too?

Thanks Derrick, noted! :slight_smile:

Only if you define the policy or create a new one and attach it to the routes.json

see: https://strapi.io/documentation/v3.x/concepts/policies.html#concept

1 Like