StackShield
Security Practices

What Is Rate Limiting?

A technique that controls the number of requests a client can make to a server within a specified time period. Rate limiting protects against brute-force attacks, denial of service, API abuse, and web scraping by rejecting requests that exceed the defined threshold.

In Laravel Applications

Laravel provides built-in rate limiting through the throttle middleware. Configure it in RouteServiceProvider or directly in routes: Route::middleware("throttle:60,1") for 60 requests per minute. For login endpoints, use stricter limits like throttle:5,1.

Example

Without rate limiting on /login, an attacker can attempt thousands of password combinations per minute. With throttle:5,1, they are limited to 5 attempts per minute, making brute-force impractical.

Related Terms

Brute-Force Attack

An attack method that tries every possible combination of credentials until the correct one is found. Brute-force attacks target login forms, API keys, encryption keys, and any authentication mechanism that does not limit the number of attempts.

DDoS (Distributed Denial of Service)

An attack that overwhelms a server or network with traffic from many sources simultaneously, making it unavailable to legitimate users. Unlike a simple DoS attack from one source, DDoS attacks use thousands of compromised devices (a botnet) to generate traffic that is difficult to filter.

Related Articles

Laravel 13 Security: What Changed from Laravel 12 and What You Need to Know

A security-focused review of Laravel 13 for teams upgrading from Laravel 12. Covers new defaults, deprecated patterns, configuration changes, and a post-upgrade security checklist.

How to Security Audit a Laravel Application: A Practical Guide

A step-by-step guide to auditing the security of a Laravel application. Covers dependency scanning, configuration review, external scanning, code review patterns, and how to prioritize findings.

Laravel Security Checklist 2026: 40 Checks Before Deploy

The 40 security checks we run on every Laravel app before it goes live. Most apps fail at least 5. Covers exposed .env files, debug mode, missing headers, CORS, session config, and dependency vulnerabilities.

Related Fix Guides

High

How to Fix Missing Rate Limiting in Laravel

Your Laravel login and API endpoints have no rate limiting, enabling brute-force attacks and API abuse. Add throttling now.
Medium

Laravel Trusted Proxies Wildcard: How to Configure TrustProxies Middleware Correctly

Setting TrustProxies to trust all proxies (*) lets attackers spoof IP addresses and bypass rate limiting, IP-based access controls, and audit logging.

Monitor Your Laravel Application's Security

StackShield continuously checks your Laravel application from the outside, catching security issues before attackers find them.

Start Free Trial