Skip to main content
Skip table of contents

Rate-limiting for APIs [VF OG]

Introduction

This document provides an overview of the recently implemented rate limiting feature in the Workflow Engine API using Microsoft AspNetCore RateLimiting based on the Fixed window limiter strategy. The rate-limiting feature helps to prevent abuse of the API by limiting the number of requests that can be made within a certain time window. This documentation will guide you on how to enable and configure rate limiting in the Workflow Engine API.

Fixed Window Limiter

The Fixed Window Limiter is a simple and straightforward rate-limiting strategy. It divides time into fixed windows of a specified duration, and within each window, a limited number of requests are allowed. Once the maximum number of requests (PermitLimit) is reached within a window (WindowTime), any additional requests made during that period will indeed be rejected, and the server should respond with an HTTP status code 429, indicating "Too Many Requests."

Prerequisites

Before proceeding with the rate-limiting implementation, ensure that the following prerequisites are met:

  1. The project must be running on .NET 7 or later.

  2. The Platform.CoreComponents.Hosting.Extensions.Api library version is 8.7.1 or later. This library is used for API hosting and rate limiting integration.

Enabling Rate-Limiting

To enable rate-limiting in the new project, follow these steps:

  1. Inside the constructor of the Startup class, set the UseRateLimiter flag to true as shown below:

C# 
public Startup(IConfiguration configuration) : base(configuration)
{
    UseRateLimiter = true;
}

By setting the UseRateLimiter flag to true, the rate-limiting feature will be activated for the API.

Rate-Limiting Configuration

If no rate-limiting configuration is specified in the appsettings.json file, the rate limiter will use the default configuration as follows:

JSON 
"RateLimit": {
  "Fixed": {
    "WindowTime": "00:01:00",
    "PermitLimit": 10000,
    "QueueProcessingOrder": "OldestFirst"
  }
}

The default configuration uses the Fixed window limiter strategy with the following parameters:

  • WindowTime: The time window for rate limiting, expressed in the format HH:mm:ss. In this case, it is set to 1 minute (00:01:00).

  • PermitLimit: The maximum number of requests allowed within the specified WindowTime. In this case, it is set to 10,000.

  • QueueProcessingOrder: The order in which requests are processed when the rate limit is exceeded. In this case, it is set to "OldestFirst," which means older requests are processed first.

Customizing Rate-Limiting Configuration

If you need to customize the rate-limiting configuration, you can do so by adding a RateLimit section to the appsettings.json file:

JSON 
"RateLimit": {
  "Fixed": {
    "WindowTime": "00:01:00",
    "PermitLimit": 10000,
    "QueueProcessingOrder": "OldestFirst"
  }
}

You can adjust the WindowTime, PermitLimit, and QueueProcessingOrder properties to meet your specific requirements.

Monitoring Rate Limiting

The rate-limiting feature will now be active and start monitoring incoming requests according to the specified configuration. When the rate limit is exceeded, the rate limiter will respond to requests with a rate-limiting error, indicating that the limit has been reached. Be sure to handle these rate-limiting responses gracefully in your application.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close