Rate Limiting Tests

10 tests verify request limiting, burst protection, and client identification.

Rate Limiting Configuration

Rate limits are configured per endpoint or globally:

# config.yaml
rate_limiting:
  enabled: true
  default:
    requests_per_minute: 100
    burst_size: 20
  by_endpoint:
    /login:
      requests_per_minute: 10
      burst_size: 3
    /users:
      requests_per_minute: 1000
  identify_by:
    - api_key
    - ip_address
RATE-001PASS

Request within rate limit

Sample Request

curl -H "X-API-Key: valid-key" http://localhost:8080/users

Response Headers

HTTP/1.1 200 OK
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 99
X-RateLimit-Reset: 1609459260

Requests within the rate limit include headers showing remaining quota.

RATE-003THROTTLED

Rate limit exceeded

After 100+ requests in 1 minute

HTTP/1.1 429 Too Many Requests
Retry-After: 45
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 0
X-RateLimit-Reset: 1609459260

{"error": "Rate limit exceeded", "retry_after": 45}

Requests exceeding the rate limit receive 429 status with Retry-After header.

RATE-005THROTTLED

Login brute force protection

Attack Attempt

# 11th login attempt within 1 minute

Expected Response

HTTP/1.1 429 Too Many Requests

{"error": "Too many login attempts", "retry_after": 60}

Login endpoints have stricter rate limits (10/min) to prevent brute force attacks.

RATE-008THROTTLED

Burst protection

Attack Attempt

# 50 simultaneous requests

Sudden bursts exceeding the burst_size limit are throttled even if total rate limit is not exceeded.