How to use rate limiting in Laravel

Categorized as Laravel

It is almost always a better idea not to use IP as part of rate limiting in Laravel. The main reason for that it can be easily changed with proxies and VPNs.

Did you know that there is an elegant syntax for multiple rate limiters in Laravel? Here they are:

RateLimiter::for('login', function (Request $request) {
    return [
        Limit::perMinute(500),
        Limit::perMinute(5)->by($request->ip()),
        Limit::perMinute(5)->by($request->input('email')),
    ];
});

This code will not help when dealing with DDOS attacks, though. However, it can stop some malicious brute force attempts, just remember – each group of people behind a corporate proxy will appear as a single IP address to your web application.

Still, your best bet would be Cloudflare’s WAF with advanced threat detection.

Leave a reply

Your email address will not be published. Required fields are marked *