Nginx rate limiting: zones, burst, 429
Two directives: limit_req_zone defines the pool (key + memory + rate), limit_req activates it in a location. A 10 MB zone holds ~160k unique IPs in RAM. Add burst for short spikes (burst=20 nodelay — allows 20 without delay, then rate-limits). Returns 429 by default; log to a custom file, feed fail2ban for IP bans.
Below: details, example, related terms, FAQ.
Details
- limit_req_zone $binary_remote_addr zone=api:10m rate=60r/m — the pool
- limit_req zone=api burst=20 nodelay — inside a location
- limit_req_status 429 — otherwise it's 503 by default
- limit_conn — concurrent connections (not requests)
- Logs: log_format with $limit_req_status for a fail2ban filter
Example
# /etc/nginx/conf.d/rate-limits.conf
limit_req_zone zone=api:10m rate=60r/m;
limit_req_zone zone=login:10m rate=5r/m;
limit_req_status 429;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://backend;
}
location /login {
limit_req zone=login burst=3 nodelay;
proxy_pass http://backend;
}
}
# fail2ban filter (jail.d/nginx-rate.conf)
[Definition]
failregex = limiting requests, excess.*client: <HOST>Related
Why teams trust us
How it works
Enter site URL
Security headers analyzed
Get grade A–F
What Does the Security Analysis Check?
The tool checks HTTP security headers, SSL/TLS configuration, server info leaks, and protection against common attacks (XSS, clickjacking, MIME sniffing). A grade fromA to F shows overall security level.
Header Analysis
Checking Content-Security-Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and more.
SSL Check
TLS version, certificate expiry, chain of trust, HSTS support.
Leak Detection
Finding exposed server versions, debug modes, open configs, and directories.
Report with Recommendations
Detailed report explaining each issue with specific steps to fix it.
Who uses this
Security teams
HTTP header audit
DevOps
config verification
Developers
CSP & HSTS setup
Auditors
compliance checks
Common Mistakes
Strict-Transport-Security.Server: Apache/2.4.52 helps attackers find exploits. Hide the version.DENY or SAMEORIGIN.nosniff, browsers may misinterpret file types (MIME sniffing).Best Practices
Content-Security-Policy-Report-Only, monitor violations, then enforce.Server, X-Powered-By, X-AspNet-Version from responses.Get more with a free account
Security check history and HTTP security header monitoring.
Sign up freeLearn more
Frequently Asked Questions
Rate per IP or per user?
Per IP is faster (binary_remote_addr in the key). Per user — after auth via $cookie_session or $jwt_claim.
X-Forwarded-For?
Behind a CDN — real_ip_header + set_real_ip_from. Otherwise every request gets banned on the CDN IP.
limit_req vs CF / AWS WAF?
CF / WAF — L7 DDoS protection (10k+ RPS). nginx limit_req — local fair-use + slow-brute protection.