Rate Limiter Config

Rate Limiting Best Practices

• Use stricter limits for authentication endpoints (5-10 per 15 min)
• Allow higher limits for read-only API endpoints (100-1000 per 15 min)
• Use Redis store in production for multi-instance deployments
• Return Retry-After header so clients know when to retry
• Consider IP-based and user-based rate limiting together
• Whitelist trusted IPs (monitoring, internal services)