Best unique identifier for rate limits?

So I intend on using something like:

But I’m wondering what the best identifier to go by is, for individual connections.
{}? Something else? I’m not quite sure.

That would require that every request that hits your server actually has a {} (i.e. a URL query parameter called id).

It really depends on what you’re trying to rate limit, and what your requests look like.

Realize that if someone wanted to get around the rate limits, they could just randomize an ID and shove it into the request.

You basically have to use something that isn’t spoofable if you’re trying to limit untrusted clients, so usually that’s the client IP address.

If you’ve authenticated the client, then rate limiting by API token or something like that might work.

FYI, there’s also this plugin as well:

There’s no authentication as such. And yeah query id does not work for the general request limit I want to add on all pages. I’ll try to use {remote.ip} then do some testing.

This topic was automatically closed after 30 days. New replies are no longer allowed.