-
-
Notifications
You must be signed in to change notification settings - Fork 127
API Rate Limiter
CarterPerez-dev edited this page Feb 11, 2026
·
1 revision
Production-ready rate limiting library for FastAPI with three algorithms, three-layer defense, and advanced client fingerprinting.
fastapi-420 is a rate limiting library implementing sliding window, token bucket, and fixed window algorithms with Redis or in-memory storage. Features a three-layer defense system (per-user, per-endpoint, global DDoS protection), advanced client fingerprinting with IPv6 /64 normalization, and atomic Lua scripts for correctness under concurrent load.
Status: Complete | Difficulty: Advanced
| Technology | Version | Purpose |
|---|---|---|
| Python | 3.12+ | Async/await throughout |
| FastAPI | - | ASGI web framework |
| Redis | 7+ | Distributed storage backend |
| Pydantic | v2 | Settings validation |
| Lua scripts | - | Atomic Redis operations |
| Algorithm | Accuracy | Memory | Best For |
|---|---|---|---|
| Sliding Window | 99.997% | Constant | Production default |
| Token Bucket | Exact | Constant | Burst tolerance |
| Fixed Window | ~Exact | Constant | Simple use cases (has boundary exploit) |
- Per-User Limits β Stop individual abuse
- Per-Endpoint Limits β Prevent endpoint-specific attacks
- Global Limits β DDoS protection with circuit breaker
- IP extraction with proxy-aware
X-Forwarded-Forhandling - IPv6 /64 block normalization (prevents trivial bypass)
- User-Agent and Accept header analysis
- JWT/API key/session identity extraction
- Composite fingerprinting combining all methods
HTTP/1.1 420 Enhance Your Calm
Retry-After: 42
RateLimit-Limit: 100
RateLimit-Remaining: 0
RateLimit-Reset: 1706900000
- GitHub 1.35 Tbps DDoS (2018) β rate limiting enabled 10-minute recovery
- Dunkin' Donuts credential stuffing (2019) β login rate limits block this
- PS5 scalper bots (2020) β checkout rate limits for fair access
Incoming Request
β
βββββββββββββββββββββββββββββββββββββββββββββββ
β ASGI Middleware (middleware.py) β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββ
β Client Fingerprinting (composite.py) β
β IP + Headers + Auth β Composite Key β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββ
β
βββββββββββββββββββββββββββββββββββββββββββββββ
β Three-Layer Defense (layers.py) β
β User Layer β Endpoint Layer β Global Layer β
ββββββββββββββββββββββββ¬βββββββββββββββββββββββ
β
ββββββββββββββββ¬βββββββββββββββ¬βββββββββββββββ
β Sliding β Token β Fixed β
β Window β Bucket β Window β
ββββββββ¬ββββββββ΄βββββββ¬ββββββββ΄βββββββ¬ββββββββ
ββββββββββββββββΌβββββββββββββββ
β
ββββββββββββββββ¬βββββββββββββββ
β Redis β In-Memory β
β Backend β Backend β
β (Lua atomic)β (asyncio) β
ββββββββββββββββ΄βββββββββββββββ
cd PROJECTS/advanced/api-rate-limiter
# Install dependencies
uv sync
# Optional: Start Redis
docker run -d -p 6379:6379 redis:7-alpine
# Run the example app
uv run python examples/app.py
# Test rate limiting
curl http://localhost:8000/auth/login -X POST -d "username=test&password=test"
# After 3 requests: HTTP/1.1 420 Enhance Your Calm# Redis (production)
REDIS_URL=redis://localhost:6379
# Fallback to in-memory when Redis unavailable
FALLBACK_TO_MEMORY=True
# Trust proxy headers
TRUST_X_FORWARDED_FOR=True
# Circuit breaker threshold
CIRCUIT_THRESHOLD=1000api-rate-limiter/
βββ src/fastapi_420/
β βββ algorithms/ # Rate limiting algorithms
β β βββ sliding_window.py
β β βββ token_bucket.py
β β βββ fixed_window.py
β βββ storage/ # Storage backends
β β βββ memory.py # In-memory (single instance)
β β βββ redis_backend.py # Redis (distributed)
β β βββ lua/ # Atomic Lua scripts
β βββ fingerprinting/ # Client identification
β β βββ ip.py # IP + IPv6 /64 normalization
β β βββ headers.py # User-Agent, Accept-*
β β βββ auth.py # JWT, API keys, sessions
β β βββ composite.py # Combined fingerprint
β βββ defense/ # Multi-layer protection
β β βββ layers.py # User/Endpoint/Global limits
β β βββ circuit_breaker.py
β βββ limiter.py # Main RateLimiter class
β βββ middleware.py # ASGI middleware
β βββ dependencies.py # FastAPI dependency injection
β βββ config.py # Pydantic settings
β βββ types.py # Data structures
βββ examples/
β βββ app.py # Full working example
βββ tests/
# Run tests
uv run pytest tests/ -v
# Linting
uv run ruff check .
# Type checking
uv run mypy src/
# Format
uv run ruff format .Β©AngelaMos | CertGames.com | CarterPerez-dev | 2026