Rick's branch off Sams rate limit PR (#34926)

* Fix typo in UID for rate limit samples

* edits

* edits

* edits

Author: Rick-Anderson

aspnetcore/performance/rate-limit-samples.md

@@ -6,12 +6,12 @@ monikerRange: '>= aspnetcore-7.0'
 description: Samples for using ASP.NET rate limitng middleware
 ms.custom: mvc
 ms.date: 03/05/2025
-uid: performance/rate-limit
+uid: performance/rate-limit-sample
 ---
 
 # Rate limiter samples
 
-The following samples aren't meant for production code but are examples on how to use the limiters.
+The following samples aren't production quality, they're examples on how to use the limiters.
 
 ### Limiter with `OnRejected`, `RetryAfter`, and `GlobalLimiter`
 

aspnetcore/performance/rate-limit.md

@@ -19,22 +19,22 @@ The `Microsoft.AspNetCore.RateLimiting` middleware provides rate limiting middle
 
 For an introduction to rate limiting, see [Rate limiting middleware](https://blog.maartenballiauw.be/post/2022/09/26/aspnet-core-rate-limiting-middleware.html).
 
-## Why use rate limiting?
+## Why use rate limiting
 
-Rate limiting can be used for managing the flow of incoming requests to your application. Here are some key reasons to implement rate limiting:
+Rate limiting can be used for managing the flow of incoming requests to an app. Key reasons to implement rate limiting:
 
-- **Preventing Abuse**: Rate limiting helps protect your application from abuse by limiting the number of requests a user or client can make in a given time period. This is particularly important for public APIs.
-- **Ensuring Fair Usage**: By setting limits, you can ensure that all users have fair access to your resources, preventing any single user from monopolizing the system.
-- **Protecting Resources**: Rate limiting helps prevent server overload by controlling the number of requests that can be processed, thus protecting your backend resources from being overwhelmed.
-- **Enhancing Security**: It can mitigate the risk of Denial of Service (DoS) attacks by limiting the rate at which requests are processed, making it harder for attackers to flood your system.
-- **Improving Performance**: By controlling the rate of incoming requests, you can maintain optimal performance and responsiveness of your application, ensuring a better user experience.
+- **Preventing Abuse**: Rate limiting helps protect an app from abuse by limiting the number of requests a user or client can make in a given time period. This is particularly important for public APIs.
+- **Ensuring Fair Usage**: By setting limits, all users have fair access to resources, preventing  users from monopolizing the system.
+- **Protecting Resources**: Rate limiting helps prevent server overload by controlling the number of requests that can be processed, thus protecting the backend resources from being overwhelmed.
+- **Enhancing Security**: It can mitigate the risk of Denial of Service (DoS) attacks by limiting the rate at which requests are processed, making it harder for attackers to flood a system.
+- **Improving Performance**: By controlling the rate of incoming requests, optimal performance and responsiveness of an app can be maintained, ensuring a better user experience.
 - **Cost Management**: For services that incur costs based on usage, rate limiting can help manage and predict expenses by controlling the volume of requests processed.
 
-Implementing rate limiting in your ASP.NET Core application can help maintain stability, security, and performance, ensuring a reliable and efficient service for all users.
+Implementing rate limiting in an ASP.NET Core app can help maintain stability, security, and performance, ensuring a reliable and efficient service for all users.
 
 ## Preventing DDoS Attacks
 
-While rate limiting can help mitigate the risk of Denial of Service (DoS) attacks by limiting the rate at which requests are processed, it is not a comprehensive solution for Distributed Denial of Service (DDoS) attacks. DDoS attacks involve multiple systems overwhelming your application with a flood of requests, making it difficult to handle with rate limiting alone.
+While rate limiting can help mitigate the risk of Denial of Service (DoS) attacks by limiting the rate at which requests are processed, it's not a comprehensive solution for Distributed Denial of Service (DDoS) attacks. DDoS attacks involve multiple systems overwhelming an app with a flood of requests, making it difficult to handle with rate limiting alone.
 
 For robust DDoS protection, consider using a commercial DDoS protection service. These services offer advanced features such as:
 
@@ -44,75 +44,79 @@ For robust DDoS protection, consider using a commercial DDoS protection service.
 - **Global Network**: A global network of servers to absorb and mitigate attacks closer to the source.
 - **Constant Updates**: Commercial services continuously track and update their protection mechanisms to adapt to new and evolving threats.
 
-If using a cloud hosting service, then DDoS protection is usually available as part of the hosting solution, such as [Azure Web Application Firewall](https://azure.microsoft.com/en-us/products/web-application-firewall/), [AWS Shield](https://aws.amazon.com/shield/) or [Google Cloud Armor](https://cloud.google.com/armor/docs). Dedicated protections is available as Web Application Firewalls (WAF) or as part of a CDN solution such as - [Cloudflare](https://www.cloudflare.com/ddos/) or  [Akamai Kona Site Defender](https://www.akamai.com/us/en/products/security/kona-site-defender.jsp)
-
-Implementing a commercial DDoS protection service in conjunction with rate limiting can provide a comprehensive defense strategy, ensuring the stability, security, and performance of your application.
-
-## Using Rate Limiting Middleware
-
-To use the rate limiting middleware in your ASP.NET Core application, follow these steps:
-
-### 1. Install the necessary package:
-Add the `Microsoft.AspNetCore.RateLimiting` package to your project. You can do this via the NuGet Package Manager or by running the following command in the terminal:
-```sh
-   dotnet add package Microsoft.AspNetCore.RateLimiting
-```
-
-### 2. Configure rate limiting services
-In the Program.cs file, configure the rate limiting services by adding the appropriate rate limiting policies. Policies can either be defined as global, for example the following which permits 10 requests per minute:
-
-``` csharp
-builder.Services.AddRateLimiter(options =>
-{
-    options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
-        RateLimitPartition.GetFixedWindowLimiter(
-            partitionKey: httpContext.User.Identity?.Name ?? httpContext.Request.Headers.Host.ToString(),
-            factory: partition => new FixedWindowRateLimiterOptions
-            {
-                AutoReplenishment = true,
-                PermitLimit = 10,
-                QueueLimit = 0,
-                Window = TimeSpan.FromMinutes(1)
-            }));
-});
-```
-
-Or as named polices, which need to be explicitly applied to the pages or endpoints. For example, to add a fixed window limiter:
-
-``` csharp
-var builder = WebApplication.CreateBuilder(args);
-
-builder.Services.AddRateLimiter(options =>
-{
-    options.AddFixedWindowLimiter("fixed", opt =>
-    {
-        opt.PermitLimit = 4;
-        opt.Window = TimeSpan.FromSeconds(12);
-        opt.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
-        opt.QueueLimit = 2;
-    });
-});
-
-var app = builder.Build();
-```
-
-The global limiter applies to all endpoints automatically when it's configured via options.GlobalLimiter, and no endpoint-specific policy is specified.
-
-### 3. Enable rate limiting middleware
- In the Program.cs file, enable the rate limiting middleware by calling UseRateLimiter:
-
-``` csharp
-app.UseRouting();
-
-app.UseRateLimiter();
-
-app.UseEndpoints(endpoints =>
-{
-    endpoints.MapControllers();
-});
-
-app.Run();
-```
+When using a cloud hosting service, DDoS protection is usually available as part of the hosting solution, such as [Azure Web Application Firewall](https://azure.microsoft.com/products/web-application-firewall/), [AWS Shield](https://aws.amazon.com/shield/) or [Google Cloud Armor](https://cloud.google.com/armor/docs). Dedicated protections are available as Web Application Firewalls (WAF) or as part of a CDN solution such as [Cloudflare](https://www.cloudflare.com/ddos/) or [Akamai Kona Site Defender](https://www.akamai.com/us/en/products/security/kona-site-defender.jsp)
+
+Implementing a commercial DDoS protection service in conjunction with rate limiting can provide a comprehensive defense strategy, ensuring the stability, security, and performance of an app.
+
+## Use Rate Limiting Middleware
+
+The following steps show how to use the rate limiting middleware in an ASP.NET Core app:
+
+1. Install the `Microsoft.AspNetCore.RateLimiting` package.:
+
+  Add the `Microsoft.AspNetCore.RateLimiting` package to the project, via the NuGet Package Manager or   the following command:
+  
+  ```sh
+     dotnet add package Microsoft.AspNetCore.RateLimiting
+  ```
+
+2. Configure rate limiting services.
+
+  In the `Program.cs` file, configure the rate limiting services by adding the appropriate rate limiting  policies. Policies can either be defined as global or named polices. The following example permits 10 requests per minute:
+  
+  ``` csharp
+  builder.Services.AddRateLimiter(options =>
+  {
+      options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
+          RateLimitPartition.GetFixedWindowLimiter(
+              partitionKey: httpContext.User.Identity?.Name ?? httpContext.Request.Headers.Host.  ToString(),
+              factory: partition => new FixedWindowRateLimiterOptions
+              {
+                  AutoReplenishment = true,
+                  PermitLimit = 10,
+                  QueueLimit = 0,
+                  Window = TimeSpan.FromMinutes(1)
+              }));
+  });
+  ```
+  
+  Named polices need to be explicitly applied to the pages or endpoints. The following example adds a fixed window limiter:
+  
+  ``` csharp
+  var builder = WebApplication.CreateBuilder(args);
+  
+  builder.Services.AddRateLimiter(options =>
+  {
+      options.AddFixedWindowLimiter("fixed", opt =>
+      {
+          opt.PermitLimit = 4;
+          opt.Window = TimeSpan.FromSeconds(12);
+          opt.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
+          opt.QueueLimit = 2;
+      });
+  });
+  
+  var app = builder.Build();
+  ```
+  
+  The global limiter applies to all endpoints automatically when it's configured via [options.  GlobalLimiter](/dotnet/api/microsoft.aspnetcore.ratelimiting.ratelimiteroptions.globallimiter), and no endpoint-specific policy is specified.
+
+3. Enable rate limiting middleware
+
+   In the `Program.cs` file, enable the rate limiting middleware by calling [UseRateLimiter](/dotnet/api/microsoft.aspnetcore.builder.ratelimiterapplicationbuilderextensions.useratelimiter):
+  
+  ``` csharp
+  app.UseRouting();
+  
+  app.UseRateLimiter();
+  
+  app.UseEndpoints(endpoints =>
+  {
+      endpoints.MapControllers();
+  });
+  
+  app.Run();
+  ```
 
 ### Apply rate limiting policies to endpoints or pages
 
@@ -141,7 +145,7 @@ app.UseEndpoints(endpoints =>
 
 #### Apply rate limiting to Blazor Server Pages
 
-To set rate limiting to all pages,  `RequireRateLimiting(Policy)` can be specified on the MapRazorComponents call, for example:
+To set rate limiting to all pages,  [`RequireRateLimiting(Policy)`](/dotnet/api/microsoft.aspnetcore.builder.ratelimiterendpointconventionbuilderextensions.requireratelimiting) can be specified on the MapRazorComponents call, for example:
 
 ``` csharp
 app.MapRazorComponents<App>()
@@ -159,7 +163,7 @@ To set policy for individual Blazor Pages, the attribute must be applied to the
 <h1>Counter</h1>
 ```
 
-The `DisableRateLimiting` attribute can be used to disable rate limiting on a Razor Page.
+The [`DisableRateLimiting`](/dotnet/api/microsoft.aspnetcore.ratelimiting.disableratelimitingattribute) attribute can be used to disable rate limiting on a Razor Page.
 
 Note: `EnableRateLimiting` is only applied to a Razor Page if `MapBlazorComponents().RequireRateLimiting(Policy)` has ***not*** been called.
 
@@ -280,9 +284,9 @@ The following code uses the concurrency limiter:
 
 :::code language="csharp" source="~/../AspNetCore.Docs.Samples/fundamentals/middleware/rate-limit/WebRateLimitAuth/Program.cs" id="snippet_concur":::
 
-
 ## Rate Limiting Partitions
-Rate limiting partitions divide your traffic into separate "buckets" that each get their own rate limit counters. This allows for more granular control than a single global counter. The partition "buckets" are defined by different keys (like user ID, IP address, or API key).
+
+Rate limiting partitions divide the traffic into separate "buckets" that each get their own rate limit counters. This allows for more granular control than a single global counter. The partition "buckets" are defined by different keys (like user ID, IP address, or API key).
 
 ### Benefits of Partitioning
 - **Fairness**: One user can't consume the entire rate limit for everyone
@@ -469,7 +473,7 @@ In the preceding controller:
 
 ## Rate limiting metrics
 
-The rate limiting middleware provides built-in metrics and monitoring capabilities to help you understand how rate limits are affecting your application performance and user experience. The following metrics are provided for rate limiting:
+The rate limiting middleware provides built-in metrics and monitoring capabilities to help understand how rate limits are affecting app performance and user experience. The following metrics are provided for rate limiting
 
 | Metric  | Description | Type |
 | --- | --- | --- |