|
| 1 | +--- |
| 2 | +title: Rate limiting middleware samsples |
| 3 | +author: rick-anderson |
| 4 | +ms.author: riande |
| 5 | +monikerRange: '>= aspnetcore-7.0' |
| 6 | +description: Samples for using ASP.NET rate limitng middleware |
| 7 | +ms.custom: mvc |
| 8 | +ms.date: 03/05/2025 |
| 9 | +uid: performance/rate-limit |
| 10 | +--- |
| 11 | + |
| 12 | +# Rate limiter samples |
| 13 | + |
| 14 | +The following samples aren't meant for production code but are examples on how to use the limiters. |
| 15 | + |
| 16 | +### Limiter with `OnRejected`, `RetryAfter`, and `GlobalLimiter` |
| 17 | + |
| 18 | +The following sample: |
| 19 | + |
| 20 | +* Creates a [RateLimiterOptions.OnRejected](xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptions.OnRejected) callback that is called when a request exceeds the specified limit. `retryAfter` can be used with the [TokenBucketRateLimiter](/dotnet/api/system.threading.ratelimiting.tokenbucketratelimiter), [FixedWindowLimiter](/dotnet/api/microsoft.aspnetcore.ratelimiting.ratelimiteroptionsextensions.addfixedwindowlimiter), and [SlidingWindowLimiter](/dotnet/api/microsoft.aspnetcore.ratelimiting.ratelimiteroptionsextensions.addslidingwindowlimiter) because these algorithms are able to estimate when more permits will be added. The `ConcurrencyLimiter` has no way of calculating when permits will be available. |
| 21 | +* Adds the following limiters: |
| 22 | + |
| 23 | + * A `SampleRateLimiterPolicy` which implements the `IRateLimiterPolicy<TPartitionKey>` interface. The `SampleRateLimiterPolicy` class is shown later in this article. |
| 24 | + * A `SlidingWindowLimiter`: |
| 25 | + * With a partition for each authenticated user. |
| 26 | + * One shared partition for all anonymous users. |
| 27 | + * A <xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptions.GlobalLimiter> that is applied to all requests. The global limiter will be executed first, followed by the endpoint-specific limiter, if one exists. The `GlobalLimiter` creates a partition for each <xref:System.Net.IPAddress>. |
| 28 | + |
| 29 | +:::code language="csharp" source="~/../AspNetCore.Docs.Samples/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs" id="snippet_1"::: |
| 30 | + |
| 31 | +> [!WARNING] |
| 32 | +>Creating partitions on client IP addresses makes the app vulnerable to Denial of Service Attacks which employ IP Source Address Spoofing. For more information, see [BCP 38 RFC 2827 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing](https://www.rfc-editor.org/info/bcp38). |
| 33 | +
|
| 34 | +See [the samples repository for the complete `Program.cs`](https://github.com/dotnet/AspNetCore.Docs.Samples/blob/main/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs#L145,L281) file. |
| 35 | + |
| 36 | +The `SampleRateLimiterPolicy` class |
| 37 | + |
| 38 | +:::code language="csharp" source="~/../AspNetCore.Docs.Samples/fundamentals/middleware/rate-limit/WebRateLimitAuth/SampleRateLimiterPolicy.cs" id="snippet_1"::: |
| 39 | + |
| 40 | +In the preceding code, <xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptions.OnRejected> uses <xref:Microsoft.AspNetCore.RateLimiting.OnRejectedContext> to set the response status to [429 Too Many Requests](https://developer.mozilla.org/docs/Web/HTTP/Status/429). The default rejected status is [503 Service Unavailable](https://developer.mozilla.org/docs/Web/HTTP/Status/503). |
| 41 | + |
| 42 | +### Limiter with authorization |
| 43 | + |
| 44 | +The following sample uses JSON Web Tokens (JWT) and creates a partition with the JWT [access token](https://github.com/dotnet/aspnetcore/blob/fd1891536f27e959d14a140ff9307b6a21191de9/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs#L152-L158). In a production app, the JWT would typically be provided by a server acting as a Security token service (STS). For local development, the dotnet [user-jwts](xref:security/authentication/jwt) command line tool can be used to create and manage app-specific local JWTs. |
| 45 | + |
| 46 | +:::code language="csharp" source="~/../AspNetCore.Docs.Samples/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs" id="snippet_jwt"::: |
| 47 | + |
| 48 | +### Limiter with `ConcurrencyLimiter`, `TokenBucketRateLimiter`, and authorization |
| 49 | + |
| 50 | +The following sample: |
| 51 | + |
| 52 | +* Adds a `ConcurrencyLimiter` with a policy name of `"get"` that is used on the Razor Pages. |
| 53 | +* Adds a `TokenBucketRateLimiter` with a partition for each authorized user and a partition for all anonymous users. |
| 54 | +* Sets [RateLimiterOptions.RejectionStatusCode](xref:Microsoft.AspNetCore.RateLimiting.RateLimiterOptions.RejectionStatusCode) to [429 Too Many Requests](https://developer.mozilla.org/docs/Web/HTTP/Status/429). |
| 55 | + |
| 56 | +:::code language="csharp" source="~/../AspNetCore.Docs.Samples/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs" id="snippet_adm2"::: |
| 57 | + |
| 58 | +See [the samples repository for the complete `Program.cs`](https://github.com/dotnet/AspNetCore.Docs.Samples/blob/main/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs#L145,L281) file. |
0 commit comments