Rate Limiting & Throttling Middleware in ASP.NET Core
π‘ Concept Name
Rate Limiting Middleware
π Quick Intro
Rate limiting restricts how often a user or client can hit your API in a given period. ASP.NET Core 7+ includes built-in middleware for this to help prevent abuse and ensure fair usage.
π§ Analogy / Short Story
Imagine a toll booth where cars pass through one by one. If too many arrive too quickly, theyβre held in a queue. Rate limiting is like that toll gate β it controls traffic and avoids jams or abuse.
π§ Technical Explanation
ASP.NET Core 7 introduced built-in middleware via Microsoft.AspNetCore.RateLimiting. It supports multiple algorithms like:
- Fixed Window: X requests per time window
- Sliding Window: Rolling period calculation
- Token Bucket: Tokens refill over time
- Concurrency Limit: Limits simultaneous requests
Policies are defined in Program.cs and applied globally or per-endpoint using [EnableRateLimiting("policyName")].
π― Purpose & Use Case
- β Prevent DoS or brute-force attacks
- β Ensure fair usage across clients
- β Limit costly operations (file uploads, DB hits)
- β Reduce backend load and improve stability
π» Real Code Example
// Program.cs (.NET 7+)
builder.Services.AddRateLimiter(options =>
{
options.AddFixedWindowLimiter("fixed", config =>
{
config.Window = TimeSpan.FromSeconds(10);
config.PermitLimit = 5;
config.QueueLimit = 2;
config.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
});
});
var app = builder.Build();
app.UseRateLimiter();
app.MapGet("/api/data", () => "Throttled endpoint")
.RequireRateLimiting("fixed");
app.Run();
β Interview Q&A
Q1: What is rate limiting?
A: Controlling how many requests a client can make within a timeframe.
Q2: When was rate limiting introduced in .NET?
A: In ASP.NET Core 7.0
Q3: Name a common algorithm used?
A: Fixed Window
Q4: How do you apply rate limiting to an endpoint?
A: Use .RequireRateLimiting("policyName")
Q5: Can you limit concurrency instead of rate?
A: Yes, via concurrency limiter
Q6: Where do you configure rate limit policies?
A: In builder.Services.AddRateLimiter()
Q7: How to handle rejected requests?
A: Use a RejectionStatusCode and middleware
Q8: Can you queue extra requests?
A: Yes, by setting QueueLimit
Q9: Is it possible to apply globally?
A: Yes, by adding rate limiting middleware before routing
Q10: What is the default HTTP status for limit reached?
A: 503 (Service Unavailable)
π MCQs
Q1: Which version introduced rate limiting middleware?
- A. .NET 5
- B. .NET 6
- C. .NET 7
- D. .NET Framework 4.8
Q2: What class is used to configure rate limiters?
- A. AddThrottling()
- B. AddRateLimiter()
- C. AddMiddleware()
- D. RateLimitBuilder()
Q3: What is the default HTTP status code when rate limit is hit?
- A. 200
- B. 400
- C. 401
- D. 503
Q4: Which of these is NOT a rate limiter type?
- A. Token Bucket
- B. Memory Cache
- C. Fixed Window
- D. Concurrency
Q5: Where do you define rate limiting policies?
- A. appsettings.json
- B. Program.cs
- C. web.config
- D. Startup.cs only
π‘ Bonus Insight
Rate limiting is especially critical for public APIs and microservices. Combine it with API keys, authentication, and logging for full production-ready protection.
π PDF Download
Need a handy summary for your notes? Download this topic as a PDF!