igbuend/limit-request-rate-pattern
skills/limit-request-rate-pattern/SKILL.md
Security pattern for implementing rate limiting and throttling. Use when protecting against brute-force attacks, DoS/DDoS mitigation, preventing resource exhaustion, or limiting API abuse. Addresses "Entity absorbs excessive resources" problem.
$ install --global
skillsauthnpx skillsauth add igbuend/grimbard limit-request-rate-patternInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 5, 2026, 8:19 PM36.9s1 file scanned
SKILL.md
- name:
- limit-request-rate-pattern
- description:
- Security pattern for implementing rate limiting and throttling. Use when protecting against brute-force attacks, DoS/DDoS mitigation, preventing resource exhaustion, or limiting API abuse. Addresses "Entity absorbs excessive resources" problem.
Limit Request Rate Security Pattern
Limits the number of requests an entity can make within a given timeframe, preventing resource exhaustion and brute-force attacks.
Problem Addressed
Entity absorbs excessive resources: An attacker floods the system with requests, either to:
- Exhaust system resources (DoS)
- Brute-force authentication credentials
- Enumerate valid identifiers
- Abuse expensive operations
Core Components
| Role | Type | Responsibility | |------|------|----------------| | Entity | Entity | Makes requests to system | | Enforcer | Enforcement Point | Intercepts and rate-checks requests | | Limiter | Decision Point | Decides if request within limits | | Policy Provider | Information Point | Manages rate limit rules | | History Store | Storage | Tracks request history per entity |
Data Elements
- id: Identifier for the entity (IP, user, API key)
- history: Record of entity's previous requests
- policy: Rules defining allowed request rates
- action: The requested operation
Rate Limiting Flow
Entity → [action] → Enforcer
Enforcer → [check(id)] → Limiter
Limiter → [get_policy(id)] → Policy Provider
Policy Provider → [policy] → Limiter
Limiter → [get_history(id)] → History Store
History Store → [history] → Limiter
Limiter → [allowed/denied] → Enforcer
Enforcer → [action] → System (if allowed)
→ [429 Too Many Requests] → Entity (if denied)
Entity Identification
How to identify entities for rate limiting:
| Identifier | Pros | Cons | |------------|------|------| | IP Address | Simple, no auth needed | NAT/proxy issues, IPv6 abundant | | User/API Key | Accurate per-user | Requires authentication | | Session ID | Works for logged-in users | Session rotation may reset | | Combination | More precise | Complex implementation |
Recommendation: Use multiple identifiers where possible.
Rate Limiting Algorithms
Fixed Window
- Count requests in fixed time periods
- Simple but allows bursts at window boundaries
- Example: 100 requests per minute
Sliding Window
- Rolling time window
- Smoother rate enforcement
- More memory intensive
Token Bucket
- Tokens added at fixed rate
- Request consumes token
- Allows controlled bursts
- Good for APIs
Leaky Bucket
- Requests queued and processed at fixed rate
- Smooths traffic
- May add latency
Policy Configuration
Define policies based on:
- Endpoint sensitivity: Stricter limits on auth endpoints
- User type: Different limits for free vs. paid users
- Operation cost: Stricter limits on expensive operations
- Time of day: Adjusted limits for peak periods
Example policies:
/login: 5 requests per minute per IP
/api/search: 100 requests per minute per API key
/api/export: 10 requests per hour per user
Security Considerations
Authentication Endpoints
- Aggressive rate limiting on login
- Limit by IP AND username
- Exponential backoff after failures
- Consider CAPTCHA after threshold
Distributed Attacks
- Single IP limits insufficient
- Monitor aggregate patterns
- Consider global rate limits
- Use reputation services
Response Headers
Inform clients of limits:
X-RateLimit-Limit: 100
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1640000000
Retry-After: 60
Failure Handling
- Rate limiting infrastructure must be resilient
- Fail-open vs. fail-closed decision
- Don't let rate limiter become DoS vector
Bypass Prevention
- Ensure rate limiter cannot be circumvented
- Apply at edge/gateway level
- Rate limit before expensive operations
Implementation Approaches
Application Level
- Fine-grained control
- Access to user context
- Higher overhead
API Gateway Level
- Central enforcement
- Consistent across services
- May lack context
Infrastructure Level (CDN/WAF)
- Handles volumetric attacks
- Limited application context
- Good first line of defense
Recommendation: Defense in depth—use multiple levels.
Implementation Checklist
- [ ] Authentication endpoints rate limited
- [ ] Limits per IP AND per user where applicable
- [ ] Appropriate algorithm selected
- [ ] Rate limit headers returned
- [ ] 429 responses with Retry-After
- [ ] Limits at multiple levels (app, gateway, CDN)
- [ ] Monitoring and alerting on limits hit
- [ ] Distributed attack patterns detected
- [ ] Expensive operations protected
- [ ] Fail behavior defined
Related Patterns
- Authentication (protect login endpoints)
- Authorisation (rate limit authorization checks)
- Data validation (rate limit before validation)
References
- Source: https://securitypatterns.distrinet-research.be/patterns/02_03_001__limit_request_rate/
- OWASP Rate Limiting
- RFC 6585 (429 Too Many Requests)
Related Skills
igbuend/xss-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for Cross-Site Scripting vulnerabilities (CWE-79). Use when generating or reviewing code that renders HTML, handles user input in web pages, uses innerHTML/document.write, or builds dynamic web content. Covers Reflected, Stored, and DOM-based XSS. AI code has 86% XSS failure rate.
4SKILL.mdUpdated Apr 5, 2026
igbuend/xpath-injection-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for XPath injection vulnerabilities (CWE-643). Use when generating or reviewing code that queries XML documents, constructs XPath expressions, or handles user input in XML operations. Detects unescaped quotes and special characters in XPath queries.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-password-hashing-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak password hashing (CWE-327, CWE-759). Use when generating or reviewing code that stores or verifies user passwords. Detects use of MD5, SHA1, SHA256 without salt, or missing password hashing entirely. Recommends bcrypt, Argon2, or scrypt.
4SKILL.mdUpdated Apr 5, 2026
igbuend/weak-encryption-anti-pattern
development
VerifiedTrustedCommunity
Security anti-pattern for weak encryption (CWE-326, CWE-327). Use when generating or reviewing code that encrypts data, handles encryption keys, or uses cryptographic modes. Detects DES, ECB mode, static IVs, and custom crypto implementations.
4SKILL.mdUpdated Apr 5, 2026