Too Many Requests
Production Risk
Moderate. While it is a necessary tool for protecting services from abuse, if the limits are too strict or not well-documented, it can frustrate legitimate users and break applications.
The user has sent too many requests in a given amount of time ('rate limiting'). The response should include details explaining the condition, and may include a 'Retry-After' header indicating how long to wait before making a new request.
- 1A script or bot is making API calls in a rapid loop.
- 2A user is repeatedly clicking a button that triggers a server request.
- 3An API key is being shared by too many users, exceeding its collective rate limit.
An API client makes 150 requests in a minute to an endpoint that has a rate limit of 100 requests per minute.
(Repeatedly calling 'GET /api/data' in a short time)
expected output
HTTP/1.1 429 Too Many Requests Retry-After: 60
Fix
Implement Rate Limiting Logic
WHEN You are the client.
// Before making a request, check if enough time has passed // If a 429 is received, wait for the 'Retry-After' duration await sleep(retryAfterSeconds * 1000);
Why this works
Client-Side Logic (Exponential Backoff)
✕
Content generated with AI assistance and reviewed for accuracy. Found an error? hello@errcodes.dev