Skip to main content

Set a rate limit


The server must have a rate limit to control interaction frequency.


Several attacks depend on executing a huge amount of requests from a single host. For instance, it is possible to exhaust a server’s connection pool with a single machine by using asynchronous requests, effectively causing a Denial of Service (DoS). These and other attacks, such as the ones depending on brute force, can be thwarted, or severely hindered, by limiting the number of requests that a single host can send to the server in a short period of time. Therefore, server settings should include a rate limit that considers a regular request flow between a host and the server.


  • CAPEC-49: Password Brute Forcing: In this attack, the adversary tries every possible value for a password until they succeed. A brute force attack, if feasible computationally, will always be successful because it will essentially go through all possible passwords given the alphabet used (lower case letters, upper case letters, numbers, symbols, etc.) and the maximum length of the password.

  • CAPEC-125: Flooding: An adversary consumes the resources of a target by rapidly engaging in a large number of interactions with the target. This type of attack generally exposes a weakness in rate limiting or flow. When successful this attack prevents legitimate users from accessing the service and can cause the target to crash.

  • CAPEC-130: Excessive Allocation: An adversary causes the target to allocate excessive resources to servicing the attackers' request, thereby reducing the resources available for legitimate services and degrading or denying services. Usually, this attack focuses on memory allocation, but any finite resource on the target could be the attacked, including bandwidth, processing cycles, or other resources.

  • CWE-770: Allocation of Resources Without Limits or Throttling: The software allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

  • CWE-799: Improper Control of Interaction Frequency: The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

  • OWASP-ASVS v4.0.1 V2.2 General Authenticator Requirements.(2.2.1): Verify that anti-automation controls are effective at mitigating breached credential testing, brute force, and account lockout attacks. Such controls include blocking the most common breached passwords, soft lockouts, rate limiting, CAPTCHA, ever increasing delays between attempts, IP address restrictions, or risk-based restrictions such as location, first login on a device, recent attempts to unlock the account, or similar. Verify that no more than 100 failed attempts per hour is possible on a single account.

  • OWASP-ASVS v4.0.1 V8.1 General Data Protection.(8.1.4): Verify the application can detect and alert on abnormal numbers of requests, such as by IP, user, total per hour or day, or whatever makes sense for the application.

  • OWASP-ASVS v4.0.1 V11.1 Business Logic Security Requirements.(11.1.2): Verify the application will only process business logic flows with all steps being processed in realistic human time, i.e., transactions are not submitted too quickly.

  • OWASP-ASVS v4.0.1 V11.1 Business Logic Security Requirements.(11.1.3): Verify the application has appropriate limits for specific business actions or transactions which are correctly enforced on a per user basis.

  • OWASP-ASVS v4.0.1 V11.1 Business Logic Security Requirements.(11.1.4): Verify the application has sufficient anti-automation controls to detect and protect against data exfiltration, excessive business logic requests, excessive file uploads or denial of service attacks.

  • OWASP-ASVS v4.0.1 V11.1 Business Logic Security Requirements.(11.1.5): Verify the application has business logic limits or validation to protect against likely business risks or threats, identified using threat modeling or similar methodologies.

  • OWASP-ASVS v4.0.1 V12.1 File Upload Requirements.(12.1.3): Verify that a file size quota and maximum number of files per user is enforced to ensure that a single user cannot fill up the storage with too many files, or excessively large files.

  • OWASP-ASVS v4.0.1 V13.2 RESTful Web Service Verification Requirements.(13.2.4): Verify that REST services have anti-automation controls to protect against excessive calls, especially if the API is unauthenticated.

  • OWASP-ASVS v4.0.1 V13.4 GraphQL and other Web Service Data Layer Security Requirements.(13.4.1): Verify that query whitelisting or a combination of depth limiting and amount limiting should be used to prevent GraphQL or data layer expression denial of service (DoS) as a result of expensive, nested queries. For more advanced scenarios, query cost analysis should be used.