Rate Limiting
Frappe framework has out of the box support for rate-limiting HTTP requests.
Frappe framework implements fixed window rate-limiting based on time consumed by requests. The limit is enforced on the sum of time taken by all HTTP requests made in the configured window. The cycle resets after every window
seconds, for instance, setting window
to 3600 seconds will reset the usage counter to 0 at the beginning of every hour based on site's timezone.
Note: Requests over limit are not processed and are sent HTTP 429
(Too Many Requests) response.
You can enable rate limiting on your site by adding configuration similar to the following in site_config.json
:
{
"rate_limit": {
"limit": 600,
"window": 3600
}
}
Key | Description |
---|---|
limit |
Maximum amount of time permitted to use in the rate limit window (in seconds). |
window |
Size of the rate limit window (in seconds). |
The returned HTTP headers of every HTTP request show the current rate limit status, e.g.
curl -i https://frappe.io/docs
HTTP/1.1 200 OK
X-RateLimit-Limit: 600000000
X-RateLimit-Remaining: 518060453
X-RateLimit-Reset: 3513
X-RateLimit-Used: 100560
In case of requests made after configured limits are exhausted, HTTP 429
response is returned along with the rate limit status:
curl -i https://frappe.io/docs
HTTP/1.1 429 TOO MANY REQUESTS
X-RateLimit-Limit: 600000000
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1242
Retry-After: 1242
Header | Description |
---|---|
Retry-After | Time remaining till the current rate limit window resets (in seconds). |
X-RateLimit-Limit | Time permitted to use in a rate limit window (in microseconds). |
X-RateLimit-Remaining | Time remaining (to be used) in the current rate limit window (in microseconds). |
X-RateLimit-Reset | Time remaining till the current rate limit window resets (in seconds). |
X-RateLimit-Used | Time used for processing the current request (in microseconds). |