|
| 1 | +--- |
| 2 | +title: Rate limiting middleware samsples |
| 3 | +author: rick-anderson |
| 4 | +ms.author: riande |
| 5 | +monikerRange: '>= aspnetcore-7.0' |
| 6 | +description: Samples for using ASP.NET rate limitng middleware |
| 7 | +ms.custom: mvc |
| 8 | +ms.date: 03/05/2025 |
| 9 | +uid: performance/rate-limit-sample |
| 10 | +--- |
| 11 | + |
| 12 | +# Rate limiter samples |
| 13 | + |
| 14 | +The following samples aren't production quality, they're examples on how to use the limiters. |
| 15 | + |
| 16 | +### Limiter with `OnRejected`, `RetryAfter`, and `GlobalLimiter` |
| 17 | + |
| 18 | +The following sample: |
| 19 | + |
| 20 | +* Creates a <xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptions.OnRejected%2A?displayProperty=nameWithType> callback that's called when a request exceeds the specified limit. `retryAfter` can be used with the <xref:System.Threading.RateLimiting.TokenBucketRateLimiter>, [Fixed Window Limiter](xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptionsExtensions.AddFixedWindowLimiter%2A), and [Sliding Window Limiter](xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptionsExtensions.AddSlidingWindowLimiter%2A) because these algorithms are able to estimate when more permits are added. The <xref:System.Threading.RateLimiting.ConcurrencyLimiter> has no way of calculating when permits are available. |
| 21 | +* Adds the following limiters: |
| 22 | + |
| 23 | + * A `SampleRateLimiterPolicy` that implements the <xref:Microsoft.AspNetCore.RateLimiting.IRateLimiterPolicy%601> interface. The `SampleRateLimiterPolicy` class is shown later in this article. |
| 24 | + * A `SlidingWindowLimiter`: |
| 25 | + * With a partition for each authenticated user. |
| 26 | + * One shared partition for all anonymous users. |
| 27 | + * A <xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptions.GlobalLimiter> that's applied to all requests. The global limiter is executed first, followed by the endpoint-specific limiter, if one exists. The `GlobalLimiter` creates a partition for each <xref:System.Net.IPAddress>. |
| 28 | + |
| 29 | +:::code language="csharp" source="~/../AspNetCore.Docs.Samples/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs" id="snippet_1"::: |
| 30 | + |
| 31 | +> [!WARNING] |
| 32 | +> Creating partitions on client IP addresses makes the app vulnerable to Denial of Service Attacks which employ IP Source Address Spoofing. For more information, see [BCP 38 RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing](https://www.rfc-editor.org/info/bcp38). |
| 33 | +
|
| 34 | +For the complete `Program.cs` file, see [the samples repository](https://github.com/dotnet/AspNetCore.Docs.Samples/blob/main/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs). |
| 35 | + |
| 36 | +[!INCLUDE[](~/includes/aspnetcore-repo-ref-source-links.md)] |
| 37 | + |
| 38 | +The `SampleRateLimiterPolicy` class |
| 39 | + |
| 40 | +:::code language="csharp" source="~/../AspNetCore.Docs.Samples/fundamentals/middleware/rate-limit/WebRateLimitAuth/SampleRateLimiterPolicy.cs" id="snippet_1"::: |
| 41 | + |
| 42 | +In the preceding code, <xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptions.OnRejected> uses <xref:Microsoft.AspNetCore.RateLimiting.OnRejectedContext> to set the response status to [429 Too Many Requests](https://developer.mozilla.org/docs/Web/HTTP/Status/429). The default rejected status is [503 Service Unavailable](https://developer.mozilla.org/docs/Web/HTTP/Status/503). |
| 43 | + |
| 44 | +### Limiter with authorization |
| 45 | + |
| 46 | +The following sample uses JSON Web Tokens (JWT) and creates a partition with the JWT [access token](https://github.com/dotnet/aspnetcore/blob/fd1891536f27e959d14a140ff9307b6a21191de9/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs#L152-L158). In a production app, the JWT would typically be provided by a server acting as a Security token service (STS). For local development, the dotnet [user-jwts](xref:security/authentication/jwt) command line tool can be used to create and manage app-specific local JWTs. |
| 47 | + |
| 48 | +:::code language="csharp" source="~/../AspNetCore.Docs.Samples/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs" id="snippet_jwt"::: |
| 49 | + |
| 50 | +### Limiter with `ConcurrencyLimiter`, `TokenBucketRateLimiter`, and authorization |
| 51 | + |
| 52 | +The following sample: |
| 53 | + |
| 54 | +* Adds a `ConcurrencyLimiter` with a policy name of `"get"` that is used on the Razor Pages. |
| 55 | +* Adds a `TokenBucketRateLimiter` with a partition for each authorized user and a partition for all anonymous users. |
| 56 | +* Sets [RateLimiterOptions.RejectionStatusCode](xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptions.RejectionStatusCode) to [429 Too Many Requests](https://developer.mozilla.org/docs/Web/HTTP/Status/429). |
| 57 | + |
| 58 | +:::code language="csharp" source="~/../AspNetCore.Docs.Samples/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs" id="snippet_adm2"::: |
| 59 | + |
| 60 | +See [the samples repository for the complete `Program.cs`](https://github.com/dotnet/AspNetCore.Docs.Samples/blob/main/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs#L145,L281) file. |
0 commit comments