Skip to Content Skip to Search

module ActionController::RateLimiting::ClassMethods

Public instance methods

rate_limit(to:, within:, by: -> { request.remote_ip }

Applies a rate limit to all actions or those specified by the normal before_action filters with only: and except:.

The maximum number of requests allowed is specified to: and constrained to the window of time given by within:.

Rate limits are by default unique to the ip address making the request, but you can provide your own identity function by passing a callable in the by: parameter. It’s evaluated within the context of the controller processing the request.

By default, rate limits are scoped to the controller’s path. If you want to share rate limits across multiple controllers, you can provide your own scope, by passing value in the scope: parameter.

Requests that exceed the rate limit are refused with a 429 Too Many Requests response. You can specialize this by passing a callable in the with: parameter. It’s evaluated within the context of the controller processing the request.

Rate limiting relies on a backing ActiveSupport::Cache store and defaults to config.action_controller.cache_store, which itself defaults to the global config.cache_store. If you don’t want to store rate limits in the same datastore as your general caches, you can pass a custom store in the store parameter.

If you want to use multiple rate limits per controller, you need to give each of them an explicit name via the name: option.

Examples:

class SessionsController < ApplicationController
  rate_limit to: 10, within: 3.minutes, only: :create
end

class SignupsController < ApplicationController
  rate_limit to: 1000, within: 10.seconds,
    by: -> { request.domain }, with: -> { redirect_to busy_controller_url, alert: "Too many signups on domain!" }, only: :new
end

class APIController < ApplicationController
  RATE_LIMIT_STORE = ActiveSupport::Cache::RedisCacheStore.new(url: ENV["REDIS_URL"])
  rate_limit to: 10, within: 3.minutes, store: RATE_LIMIT_STORE
  rate_limit to: 100, within: 5.minutes, scope: :api_global
end

class SessionsController < ApplicationController
  rate_limit to: 3, within: 2.seconds, name: "short-term"
  rate_limit to: 10, within: 5.minutes, name: "long-term"
end
Source code GitHub 
# File actionpack/lib/action_controller/metal/rate_limiting.rb, line 60
def rate_limit(to:, within:, by: -> { request.remote_ip }, with: -> { head :too_many_requests }, store: cache_store, name: nil, scope: nil, **options)
  before_action -> { rate_limiting(to: to, within: within, by: by, with: with, store: store, name: name, scope: scope || controller_path) }, **options
end

Definition files