Skip to content

Nginx rate limiting: zones, burst, 429

Key idea:

Two directives: limit_req_zone defines the pool (key + memory + rate), limit_req activates it in a location. A 10 MB zone holds ~160k unique IPs in RAM. Add burst for short spikes (burst=20 nodelay — allows 20 without delay, then rate-limits). Returns 429 by default; log to a custom file, feed fail2ban for IP bans.

Below: details, example, related terms, FAQ.

Check your site's security →

Details

  • limit_req_zone $binary_remote_addr zone=api:10m rate=60r/m — the pool
  • limit_req zone=api burst=20 nodelay — inside a location
  • limit_req_status 429 — otherwise it's 503 by default
  • limit_conn — concurrent connections (not requests)
  • Logs: log_format with $limit_req_status for a fail2ban filter

Example

# /etc/nginx/conf.d/rate-limits.conf
limit_req_zone  zone=api:10m rate=60r/m;
limit_req_zone  zone=login:10m rate=5r/m;
limit_req_status 429;

server {
  location /api/ {
    limit_req zone=api burst=20 nodelay;
    proxy_pass http://backend;
  }
  location /login {
    limit_req zone=login burst=3 nodelay;
    proxy_pass http://backend;
  }
}

# fail2ban filter (jail.d/nginx-rate.conf)
[Definition]
failregex = limiting requests, excess.*client: <HOST>

Related

Understanding the Limitations of Rate Limiting in Nginx

While rate limiting is a powerful tool for controlling traffic to your Nginx server, it does come with certain limitations that administrators should be aware of. Understanding these limitations can help you configure your server more effectively and avoid potential pitfalls.

1. Memory Usage: The limit_req_zone directive allocates shared memory for storing request data. A 10 MB zone can accommodate approximately 160,000 unique IP addresses in RAM. If your application experiences traffic from more unique IPs than the configured zone can handle, excess requests may not be tracked, leading to unintended access.

2. Granularity of Rate Limiting: The rate limiting applies at the level of the defined zone. If you have multiple applications or services running on the same server, they will share the same limits unless separate zones are defined. This can lead to unfair limitations on some services if not configured properly.

3. Bursting Behavior: The burst parameter allows for short spikes in traffic, but it can also lead to a surge in requests that exceed the defined rate. If not managed carefully, this can temporarily overwhelm your resources, especially if combined with other traffic spikes.

4. Logging and Monitoring: By default, Nginx returns a 429 status code for rate-limited requests. It is crucial to log these events to a custom file for monitoring and analysis. This data can be invaluable for adjusting your rate limits and understanding traffic patterns.

In summary, while rate limiting is essential for protecting your Nginx server, it requires careful consideration and ongoing management to ensure optimal performance and security.

HeadersCSP, HSTS, X-Frame-Options, etc.
SSL/TLSEncryption and certificate
ConfigurationServer settings and leaks
Grade A-FOverall security score

Why teams trust us

OWASP
guidelines
15+
security headers
<2s
result
A–F
security grade

How it works

1

Enter site URL

2

Security headers analyzed

3

Get grade A–F

What Does the Security Analysis Check?

The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.

Header Analysis

Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.

SSL Check

TLS version, certificate expiry, chain of trust, HSTS support.

Leak Detection

Finding exposed server versions, debug modes, open configs, and directories.

Report with Recommendations

Detailed report explaining each issue with specific steps to fix it.

Who uses this

Security teams

HTTP header audit

DevOps

config verification

Developers

CSP & HSTS setup

Auditors

compliance checks

Common Mistakes

Missing Content-Security-PolicyCSP is the primary XSS defense. Without it, script injection is much easier.
Missing HSTS headerWithout HSTS, HTTPS-to-HTTP downgrade attacks are possible. Enable Strict-Transport-Security.
Server header exposes versionServer: Apache/2.4.52 helps attackers find exploits. Hide the version.
X-Frame-Options not setSite can be embedded in iframe for clickjacking. Set DENY or SAMEORIGIN.
Missing X-Content-Type-OptionsWithout nosniff, browsers may misinterpret file types (MIME sniffing).

Best Practices

Start with basic headersMinimum: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy. Takes 5 minutes.
Implement CSP graduallyStart with Content-Security-Policy-Report-Only, monitor violations, then enforce.
Hide server headersRemove Server, X-Powered-By, X-AspNet-Version from responses.
Configure Permissions-PolicyRestrict camera, microphone, geolocation access — only what is actually used.
Check after every deploySecurity headers can be overwritten during server configuration updates.

Get more with a free account

Security check history and HTTP security header monitoring.

Sign up free

Learn more

Frequently Asked Questions

Rate per IP or per user?

Per IP is faster (binary_remote_addr in the key). Per user — after auth via $cookie_session or $jwt_claim.

X-Forwarded-For?

Behind a CDN — real_ip_header + set_real_ip_from. Otherwise every request gets banned on the CDN IP.

limit_req vs CF / AWS WAF?

CF / WAF — L7 DDoS protection (10k+ RPS). nginx limit_req — local fair-use + slow-brute protection.

Try the live tool that powered this guide

Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.