How to Fix Missing Rate Limiting in Laravel
Your Laravel login and API endpoints have no rate limiting, enabling brute-force attacks and API abuse. Add throttling now.
The Problem
Missing rate limiting on login pages, API endpoints, and form submissions allows attackers to make unlimited requests to your application. This enables brute-force password attacks, credential stuffing, API abuse, and can lead to denial of service. Without rate limiting, an attacker can attempt thousands of login combinations per minute or exhaust your server resources with automated requests.
How to Fix
-
1
Define rate limiters in your application
In Laravel 11+, configure rate limiters in bootstrap/app.php or a service provider. In AppServiceProvider boot():
use Illuminate\Cache\RateLimiting\Limit; use Illuminate\Support\Facades\RateLimiter;
{{ trim($paragraph)); ?>{{ trim($paragraph)); ?>{{ trim($paragraph)); ?> -
2
Apply rate limiting to routes
Add the throttle middleware to your routes:
{{ trim($paragraph)); ?>{{ trim($paragraph)); ?>{{ trim($paragraph)); ?>{{ trim($paragraph)); ?> -
3
Add rate limiting response headers
Laravel automatically includes rate limit headers in responses when using the throttle middleware:
{{ trim($paragraph)); ?>Customize the response when the limit is exceeded:
{{ trim($paragraph)); ?>
How to Verify
Test rate limiting by exceeding the limit. For the login endpoint:
for i in {1..10}; do curl -s -o /dev/null -w "%{http_code}\n" -X POST https://yourdomain.com/login -d "email=test@test.com&password=wrong"; doneAfter 5 requests, you should see 429 (Too Many Requests) status codes instead of the normal response.
Prevention
Include rate limiting in your route definitions from the start. Apply strict limits (5/minute) to authentication endpoints and moderate limits (60/minute) to API endpoints. Use StackShield to test that rate limiting is active on your public-facing endpoints.
Frequently Asked Questions
What rate limits should I set?
For login and password reset: 5 requests per minute per IP. For authenticated API endpoints: 60 requests per minute per user. For public forms (contact, registration): 3-5 per minute per IP. For general web pages: 120 per minute per IP. Adjust based on your legitimate traffic patterns.
Does rate limiting work behind a load balancer?
You need to configure the TrustedProxy middleware so Laravel gets the real client IP from X-Forwarded-For headers. Without this, all requests appear to come from the load balancer IP, and one user hitting the limit blocks everyone. Also use Redis as your cache driver so rate limits are shared across multiple servers.
Can attackers bypass rate limiting?
IP-based rate limiting can be bypassed with rotating proxies. For login protection, combine IP-based limits with account-based limits (lock the account after N failed attempts). For API abuse, use per-user token limits. Adding CAPTCHA after repeated failures provides an additional layer.
Related Security Terms
Related Guides
How to Prevent SQL Injection in Laravel
SQL injection vulnerabilities in raw queries and improper Eloquent usage can expose your database. Learn how to write secure queries.
How to Fix Missing CSRF Protection in Laravel
Your Laravel forms are missing CSRF tokens, leaving users vulnerable to cross-site request forgery attacks. Learn how to fix this.
How to Fix CORS Misconfiguration in Laravel
Wildcard CORS headers or misconfigured CORS policy allows any website to access your Laravel API. Learn how to configure CORS securely.
Detect This Automatically with StackShield
StackShield continuously monitors your Laravel application from the outside and alerts you when security issues are found. No installation required.
Start Free Trial