Rate limiting cap the number of requests coming in from a certain IP in a specified duration. Further responses will get an HTTP 429 - Too many requests, .
The following configuration disallows an IP from calling any specific route more than 4 times every 1000 milliseconds (1 second). Since this is defined globally, all routes will have rate limiting applied.
You can define it for a specific route too. In the following example GET /users cannot be called more than 4 times every second.
Rate Limiting State Management
Rate Limiting requires request counts to be stored somewhere - the options available currently are in-memory and Redis. For production, you should always be using Redis for storing state. In-memory state exists primarily for development workflows. The default is in-memory state.
To store state in redis:
To store the state in memory, can leave the 'state' field undefined. However, if you want to be more explicit about it: