# rate-limiter
**Repository Path**: mirrors_yiisoft/rate-limiter
## Basic Information
- **Project Name**: rate-limiter
- **Description**: RateLimiter helps to prevent abuse by limiting the number of requests that could be me made consequentially.
- **Primary Language**: Unknown
- **License**: BSD-3-Clause
- **Default Branch**: master
- **Homepage**: None
- **GVP Project**: No
## Statistics
- **Stars**: 0
- **Forks**: 0
- **Created**: 2020-08-19
- **Last Updated**: 2026-02-14
## Categories & Tags
**Categories**: Uncategorized
**Tags**: None
## README
Yii Rate Limiter Middleware
[](https://packagist.org/packages/yiisoft/rate-limiter)
[](https://packagist.org/packages/yiisoft/rate-limiter)
[](https://github.com/yiisoft/rate-limiter/actions?query=workflow%3Abuild)
[](https://scrutinizer-ci.com/g/yiisoft/rate-limiter/?branch=master)
[](https://scrutinizer-ci.com/g/yiisoft/rate-limiter/?branch=master)
[](https://dashboard.stryker-mutator.io/reports/github.com/yiisoft/rate-limiter/master)
[](https://github.com/yiisoft/rate-limiter/actions?query=workflow%3A%22static+analysis%22)
[](https://shepherd.dev/github/yiisoft/rate-limiter)
Rate limiter middleware helps to prevent abuse by limiting the number of requests that could be me made consequentially.
For example, you may want to limit the API usage of each user to be at most 100 API calls within a period of 10 minutes.
If too many requests are received from a user within the stated period of the time, a response with status code 429
(meaning "Too Many Requests") should be returned.
## Requirements
- PHP 8.0 or higher.
## Installation
The package could be installed with [Composer](https://getcomposer.org):
```shell
composer require yiisoft/rate-limiter
```
## General usage
```php
use Psr\Http\Message\ServerRequestInterface;
use Yiisoft\Yii\RateLimiter\LimitRequestsMiddleware;
use Yiisoft\Yii\RateLimiter\Counter;
use Nyholm\Psr7\Factory\Psr17Factory;
use Yiisoft\Yii\RateLimiter\Policy\LimitAlways;
use Yiisoft\Yii\RateLimiter\Policy\LimitPerIp;
use Yiisoft\Yii\RateLimiter\Policy\LimitCallback;
use Yiisoft\Yii\RateLimiter\Storage\StorageInterface;
use Yiisoft\Yii\RateLimiter\Storage\SimpleCacheStorage;
/** @var StorageInterface $storage */
$storage = new SimpleCacheStorage($cache);
$counter = new Counter($storage, 2, 5);
$responseFactory = new Psr17Factory();
$middleware = new LimitRequestsMiddleware($counter, $responseFactory); // LimitPerIp by default
```
In the above 2 is the maximum number of counter increments (requests) that could be performed before increments
are limited and 5 is a period to apply limit to, in seconds.
The `Counter` implements [generic cell rate limit algorithm (GCRA)](https://en.wikipedia.org/wiki/Generic_cell_rate_algorithm)
that ensures that after reaching the limit further increments are distributed equally.
> Note: While it is sufficiently effective, it is preferred to use [Nginx](https://www.nginx.com/blog/rate-limiting-nginx/)
> or another webserver capabilities for rate limiting. This package allows rate-limiting in the project with deployment
> environment you cannot control such as installable CMS.
### Implementing your own limiting policy
There are two ready to use limiting policies available in the package:
- `LimitAlways` - to count all incoming requests.
- `LimitPerIp` - to count requests from different IPs separately.
These could be applied as follows:
```php
$middleware = new LimitRequestsMiddleware($counter, $responseFactory, new LimitPerIp());
// or
$middleware = new LimitRequestsMiddleware($counter, $responseFactory, new LimitAlways());
```
Easiest way to customize a policy is to use `LimitCallback`:
```php
$middleware = new LimitRequestsMiddleware($counter, $responseFactory, new LimitCallback(function (ServerRequestInterface $request): string {
// return user id from database if authentication id used i.e. limit guests and each authenticated user separately.
}));
```
Another way it to implement `Yiisoft\Yii\RateLimiter\Policy\LimitPolicyInterface` and use it in a similar way as above.
### Implementing your own counter storage
There are two ready to use counter storages available in the package:
- `\Yiisoft\Yii\RateLimiter\Storage\SimpleCacheStorage` - stores counters in any [PSR-16](https://www.php-fig.org/psr/psr-16/) cache.
- `\Yiisoft\Yii\RateLimiter\Storage\ApcuStorage` - stores counters by using the [APCu PHP extension](https://www.php.net/apcu) while taking concurrency into account.
To use your own storage implement `Yiisoft\Yii\RateLimiter\Storage\StorageInterface`.
## Documentation
- [Internals](docs/internals.md)
If you need help or have a question, the [Yii Forum](https://forum.yiiframework.com/c/yii-3-0/63) is a good place for that.
You may also check out other [Yii Community Resources](https://www.yiiframework.com/community).
## License
The Yii Rate Limiter Middleware is free software. It is released under the terms of the BSD License.
Please see [`LICENSE`](./LICENSE.md) for more information.
Maintained by [Yii Software](https://www.yiiframework.com/).
## Support the project
[](https://opencollective.com/yiisoft)
## Follow updates
[](https://www.yiiframework.com/)
[](https://twitter.com/yiiframework)
[](https://t.me/yii3en)
[](https://www.facebook.com/groups/yiitalk)
[](https://yiiframework.com/go/slack)