Rate limiting is one of the techniques you can use to control traffic on your application or network.
What Is Rate Limiting?
Rate limiting is a widespread access restriction technique for limiting network traffic, primarily within speculated time frames or when the user has executed several requests.
Rate limiting is popular for reducing cyber attacks like brute force and DDoS (Distributed Denial of Service), limiting web scraping, API requests, and other irregular user interactions like bot automation and server strain.
Go provides first-class support for rate-limiting applications in the rate package that provides a rate limiter and interoperates with the time package.
The rate package is part of the Go project, but the package is not available in the standard library. You’ll need to install the package with the get command.
Run this command in the terminal of your working directory to add the package to your project’s dependencies.
Import these packages into your Go file for this tutorial.
The json package is for encoding a struct as JSON to the client. You’ll use the log package to log errors to the console and the http package to build the endpoint and the middleware and start a server.
Building a Simple API With One Endpoint
Conventionally, you’ll write a middleware for the handler functions you want to rate limit. Each time the user sends a request, the middleware validates the request status before relaying access to the handler function, depending on the case.
Here’s the struct model with string fields you’ll encode to the client.
The handler function will set the content type to JSON, write a successful status code, and return an encoded struct instance to the client.
The endpointExample handler function takes in an http package writer and request method instance and returns a message to the client with the writer instance.
Rate Limiting a Simple Go Application
Rate limiting via a user’s number of requests or the available number of requests is similar. You’ll always need to create a limiter before the authorization process.
Here’s how you can create a rate limiter and authorize users based on the number of requests.
The rateLimiterMiddleware handler function is a middleware that accepts a handler function as the argument and returns the result of the authorization after creating a new rate limiter with the NewLimiter method that takes two parameters for the number of requests per second after the specified maximum requests.
The Allow method of the limiter instance returns a boolean based on the status of authorized requests. The rateLimiterMiddleware returns the JSON message if the request is authorized or the “rate limit exceeded " message when the client has sent the maximum number of requests.
The main function mounts the /home endpoint to the rateLimiterMiddleware handler function that takes in the endpointExample handler function.
The ListenAndServe method starts a server on localhost port 8080 and returns possible errors.
You can run this command on the terminal of your working directory or with a bash script to test the endpoint after running the server.
The code hits the /home endpoint ten times with a request. Here are the result of the requests.
After the sixth request (maximum), the client is unauthorized and can no longer access the endpoint.
Rate-Limiting Is Important
Rate-limiting is essential, especially if you’re looking towards cutting the cost of hosting your application, want to reduce bot interference, or secure your app from cyber attacks. Similar to Go’s rate package, npm provides the express-rate-limit package to rate-limit express applications.
