Current section: Rate Limiting 4 exercises

Tiered Rate Limiting with Custom Middleware


00:00 There's a really big difference between a user on the homepage just refreshing a bunch of times, hoping they see their notifications or whatever they're looking for, and a user going to the sign up page or the login page and entering some bogus stuff and trying to guess a user's password, right? I'm okay with a user trying to refresh and get their notifications. That does happen

00:19 sometimes. But if a user tries to sign up like 30 times in a minute, there's probably something fishy there. Or if a user tries to log in like 100 times in a minute, yeah, that's probably also quite fishy. And so we want to block that sort of behavior. So rather than just having a single

00:38 rate limit, it actually makes sense to have kind of a tiered rate limit where you have the strongest rate limit for things like sign up and login. And then you have a relatively strong rate limit for post requests that people typically don't make a lot of post requests in web apps.

00:53 Sometimes they do. So this is going to be fine-tuned based on your particular app. But then the other will be for just the general rate limit that protects against people sending a script at your app and just trying to take your app down. So your task is to create those

01:11 three different tiers and to create your own little mini middleware that will do some of that checking to know which one of these tiers to call into. So give that a whirl and we'll see you when you're done.