Skip to content

Rate Limit Analyzer

Configuration Name: RateLimit


The RateLimit analyzer performs an analysis that checks for proper use of rate limiting headers (x-rate-limit-limit, x-rate-limit-remaining, x-rate-limit-reset) in an HTTP response. A finding is reported when a response for an operation does not contain rate limiting headers or does not properly update the values of the headers.


API requests serviced by an application consume resources like CPU, memory, network, and storage. The amount of resources utilized depend greatly on the implementation of the application. The concurrent nature of client requests can increase the demand on resources. An API is vulnerable to this class of attacks if it does not any implement any resources constraints or rate limiting on operations serviced by the API.

A malicious attack can greatly impact the service KPIs and SLAs by exploiting a lack of rate limiting. An attach may piggy back on this vulnerability to exploit other vulnerabilities like Broken User Authentication that require a large number of requests.


API should implement and provide valid rate limit header implementations.

Faults Reported

Fault Identifier Title Summary Solution Severity
CWE-400 Uncontrolled Resource Consumption Application does not implement throttling for the rate of requests that a client may issue. Implement request rate limiting in the application. medium, low