$ lexprog.com

// notes from an old coder -- php, databases, and the occasional rant

[April 30, 2026] Laravel

Laravel Rate Limiting: Throttling Requests

Laravel Rate Limiting: Throttling Requests

────────────────────────────────────────────────────────

Laravel Rate Limiting: Throttling Requests

Tip: Built-in Rate Limiter

Route::middleware('throttle:60,1')->group(function () {
    // 60 requests per minute
});

Gotcha: Rate Limiter by User

RateLimiter::for('api', function (Request $request) {
    return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
});

Different limits for authenticated vs anonymous users.

Tip: Custom Rate Limiter Response

return Limit::perMinute(60)->response(function (Request $request, array $headers) {
    return response('Too many attempts', 429);
});

Gotcha: Rate Limiter Uses Cache

If your cache driver is slow, rate limiting adds overhead. Use Redis for production.

Tip: Multiple Limits

return [
    Limit::perMinute(60),
    Limit::perHour(1000)->by($request->user()->id),
];

Both limits apply — whichever hits first blocks the request.

Gotcha: tooManyAttempts() Check

if (RateLimiter::tooManyAttempts($key, 60)) {
    $seconds = RateLimiter::availableIn($key);
}

Tip: Use route:cache Carefully

php artisan route:cache is fast, but it doesn't work with closure-based routes. Every time you cache routes, Laravel serializes them. If you have Route::redirect() or closure callbacks, the cache breaks. Stick to controller-based routes in production.

Tip: Model APP_KEY Rotation

Rotating APP_KEY invalidates all encrypted data — cookies, encrypted DB columns, and password reset tokens. If you must rotate (e.g., after a leak), plan a migration that re-encrypts existing data with the new key.

Gotcha: Local Scope Leaks

Global scopes defined in booted() apply to ALL queries on that model — including relationships. An innocent User::all() in admin panel might exclude soft-deleted users if a global scope is active.

Senior Insight

Rate limiting is often implemented as an afterthought, and it shows. I've audited APIs where the rate limiter counted requests globally instead of per-user, meaning one aggressive client could exhaust the shared limit and block everyone. Always scope rate limiters to the authenticated user or IP, and always return meaningful Retry-After headers so clients can back off gracefully instead of retrying blindly.

Source: Laravel News (https://laravel-news.com/), Freek.dev (https://freek.dev/tags/laravel), Spatie Blog (https://spatie.be/blog)

────────────────────────────────────────────────────────
<-- back to posts