Throttling/Rate Limiter for an API

Throttling and rate-limiting allow you to prevent abuse of your API and ensure that your API withstands large numbers of calls (including DoS and accidental loops). With Throttling, you can set a delay on calls after an SLA tier has been exceeded, slowing down the number of requests an API client is making.

Rate limiting lets you set a hard number for how many calls the client may make in a specific time frame. Essentially, if a client is making too many calls, you can slow down the responses or cut the client off to prevent the system from being overrun or disrupting your other users.

This is especially helpful in negating malicious attacks, as well as the dreaded accidental infinite loop that pounds your API with calls. While this practice may seem harsh at first, it is widely adopted to ensure the best quality of service for everyone.

AspNetCoreRateLimit is an ASP.NET Core rate limiting solution designed to control the rate of requests that clients can make to a Web API or MVC app based on IP address or client ID. The AspNetCoreRateLimit package contains an IpRateLimitMiddleware and a ClientRateLimitMiddleware, with each middleware you can set multiple limits for different scenarios like allowing an IP or Client to make a maximum number of calls in a time interval like per second, 15 minutes, etc. You can define these limits to address all requests made to an API, or you can scope the limits to each API URL or HTTP verb and path.

Default AppSetting.json we use for My MoD API Gateway:

“IpRateLimiting”: {

    “EnableEndpointRateLimiting”: true,

    “StackBlockedRequests”: false,

    “RealIPHeader”: “X-Real-IP”,

    “ClientIdHeader”: “X-ClientId”,

    “HttpStatusCode”: 429,

    “GeneralRules”: [


        “Endpoint”: “*:/api/*”,

        “Period”: “1s”,

        “Limit”: 300




  • EnableEndpointRateLimiting is set to true, then the limits will apply for each endpoint as in {HTTP_Verb}{PATH}
  • StackBlockedRequests is set to false, rejected calls are not added to the throttle counter. If a client makes 3 requests per second and you’ve set a limit of one call per second, other limits like per minute or per day counters will only record the first call, the one that wasn’t blocked.
  • RealIpHeader is used to extract the client IP when your Kestrel server is behind a reverse proxy, if the proxy uses a different header then X-Real-IP use this option to set it up.
  • ClientIdHeader is used to extract the client id for whitelisting. If a client id is present in this header and matches a value specified in ClientWhitelist then no rate limits are applied.
  • HttpStatusCode that is returned if the limit is reached.

Defining rate limit rules

A rule is composed of an endpoint, a period and a limit.

Endpoint format is {HTTP_Verb}:{PATH}, you can target any HTTP verb by using the asterisk symbol.

Period format is {INT}{PERIOD_TYPE}, you can use one of the following period types: s, m, h, d.

Limit format is {LONG}.