Rate limiting is a defensive control that restricts how quickly or how often a client can perform requests or actions within defined thresholds.
Rate limiting is a defensive control that restricts how quickly or how often a client can make requests within defined thresholds. In plain language, it stops one user, script, or service from trying the same action over and over or consuming application capacity without restraint.
Rate limiting matters because many abuse patterns depend on repetition. Brute-force logins, token guessing, scraping, credential attacks, and some denial-of-service behaviors all become easier when requests can be sent as fast as the attacker wants.
It also matters because good rate limiting protects reliability and fairness for legitimate users. Security and availability often meet here: the same control that slows abuse can also help preserve service quality during bursts of unwanted traffic.
Rate limiting appears on login endpoints, password-reset flows, public APIs, search functions, web forms, and application gateways. Teams evaluate it as part of API Security, Authentication, Web Application Firewall, and Denial of Service defense.
It also connects to Brute Force Attack, Password Spraying, and Account Lockout because repetitive access patterns are common across identity abuse scenarios.
It is especially valuable where the underlying function is legitimate but repetition creates risk, such as login, account recovery, registration, token exchange, or high-volume data retrieval.
A login service allows only a limited number of failed attempts from the same user and source within a short time window. If the pattern continues, the service slows or temporarily blocks the requests and creates telemetry for investigation. That reduces the speed of abuse while still preserving a manageable experience for legitimate users.
Rate limiting is not the same as full attack prevention. It reduces abusive speed and volume, but it does not replace strong authentication, authorization, validation, or fraud detection.
It is also different from capacity scaling. Scaling helps an application survive high traffic, while rate limiting helps shape who can consume resources and how quickly.
It is not always a single global number either. Good implementations often distinguish between different endpoints, identities, client types, or risk levels rather than applying one blunt threshold everywhere.