Rate limiting restricts requests from one client (IP, API key) per time unit. Defence against DDoS, brute-force, abuse. Standard implementations: token bucket (nginx limit_req), leaky bucket (API gateways), sliding window (Redis sorted sets). Response — HTTP 429 + Retry-After header.
Free online tool — website security scanner: instant results, no signup.
Rate limiting restricts requests from one client (IP, API key) per time unit. Defence against DDoS, brute-force, abuse. Standard implementations: token bucket (nginx limit_req), leaky bucket (API gateways), sliding window (Redis sorted sets). Response — HTTP 429 + Retry-After header.
Rate limiting is implemented through various algorithms that define how requests are managed and restricted. Each algorithm has its strengths and use cases:
nginx with the limit_req module.Redis sorted sets to maintain timestamps of requests.Choosing the right algorithm depends on the specific requirements of your application, such as the expected traffic patterns and the level of strictness needed for rate limiting.
To implement rate limiting in nginx, you can use the limit_req module. Below is a simple configuration example:
http {
# Define a shared memory zone for storing request states
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
server {
location /api/ {
# Apply the rate limiting zone
limit_req zone=one burst=5 nodelay;
# Your API backend
proxy_pass http://backend;
}
}
}In this configuration:
limit_req_zone directive specifies a zone named one with a limit of one request per second per unique client IP address.burst parameter allows for up to 5 excess requests to be processed without being delayed.nodelay option ensures that excess requests are processed immediately, up to the burst limit.With this setup, if a client exceeds the defined limit, they will receive an HTTP 503 error response, indicating that their requests are being limited.
Implementing rate limiting effectively requires following certain best practices to ensure application stability and user satisfaction:
429 Too Many Requests to inform clients when they exceed the rate limit. Include a Retry-After header to suggest when they can retry their requests.By adhering to these best practices, you can ensure that your rate limiting implementation is both effective and user-friendly.
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
TLS version, certificate expiry, chain of trust, HSTS support.
Finding exposed server versions, debug modes, open configs, and directories.
Detailed report explaining each issue with specific steps to fix it.
HTTP header audit
config verification
CSP & HSTS setup
compliance checks
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Security check history and HTTP security header monitoring.
Sign up freeSee definition above. Most web projects with traffic > 100 RPS need it.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.