Skip to main content
version 1.0.0

Rate Limiting


Rate limiters ensure the fair usage of your http server by clients. It regulates the number of times a user can request your application in a given time-frame.

Basic usage

Athenna uses the @fastify/rate-limit plugin inside HttpKernel. All the configurations that @fastify/rate-limit supports can be set inside config/http.js file in the rateLimit object:

rateLimit: {
global: true,
max: 1000,
ban: null,
timeWindow: 1000 * 60,
cache: 5000,
allowList: [],
continueExceeding: false,
enableDraftSpec: false,

We highly recommend opening the config/http.js file in rateLimit configurations to see a little documentation of all it's options.

Set rate limit for specific routes

In Athenna you can set specific options of rate limit for specific routes. You can also disable the global option of your rateLimit configuration in config/http.js and set different rules in your routes:

Route.get('/hello', '').rateLimit({ max: 1, timeWindow: '1 minute' })

Usage in route groups

In route groups you can use the rateLimit method. This will set the same configuration for all routes inside the group: => {
Route.get('/hello', '')

The rateLimit method of route groups will never subscribe the already set methods of routes. Use then to create "defaults" configurations for all routes.

Usage in route resources

In route resources you can use the rateLimit method:

// Set the same configurations for all routes of resource
Route.resource('/tests', 'WelcomeController').rateLimit({...})

// Set configuration only for that specific action of resource
Route.resource('/tests', 'WelcomeController').rateLimit('index', {...})
Route.resource('/tests', 'WelcomeController').rateLimit('store', {...})

Rate limit headers

The response will have the following headers if enableDraftSpec is true in rateLimit config or route:

ratelimit-limitHow many requests the client can make
ratelimit-remainingHow many requests remain to the client in the timewindow
ratelimit-resetHow many seconds must pass before the rate limit resets
retry-afterContains the same value in time as ratelimit-reset

For more information on Rate limit headers, please consult the Meta article about rate limiters.

Disabling rate limit

Rate limit plugin is registered in your http application by default, but you can remove it setting the noRateLimit as true in config/http.js file:

noRateLimit: true