top of page core RateLimit with ActionFilters

Updated: Mar 18

In today's world, APIs are very crucial for most web applications. The usage of APIs has been increasing day by day, and so is the need for limiting the number of requests that are coming to the APIs from an individual client to ensure the quality of service for all users. ASP.NET Core Rate Limit is a middleware that helps to limit the rate at which requests are sent to an API. In this article, we will discuss how to use the ASP.NET Core Rate Limit with Action Filters.

ASP.NET Core RateLimit is a middleware that allows you to restrict the rate at which clients can make requests to your API or web application. This can be useful for preventing abuse and ensuring fair usage of your resources.

To implement RateLimit in ASP.NET Core, you can use Microsoft.AspNetCore.RateLimit NuGet package. This package provides a set of middleware components that can be added to your application's request processing pipeline.

One way to use the RateLimit middleware is by using ActionFilters. ActionFilters are attributes that can be applied to controller actions or entire controllers to modify the request processing behavior. To use ActionFilters with RateLimit, you need to do the following:

STEP 1: Install the Microsoft.AspNetCore.RateLimit NuGet package:

dotnet add package Microsoft.AspNetCore.RateLimit

STEP 2: Add the following lines to the ConfigureServices method in your Startup.cs file to configure the RateLimit middleware:


Here, IpRateLimitOptions and IpRateLimitPolicies are classes that define the options and policies for RateLimit. These classes can be configured in your appsettings.json file.

STEP 3: Add the RateLimit middleware to your application's request processing pipeline by adding the following line to the Configure method in your Startup.cs file:


STEP 4: Apply the RateLimit ActionFilter to your controller actions or controllers by adding the [RateLimit] attribute:

[RateLimit(Name = "MyRateLimit", Seconds = 60, Requests = 10)] public IActionResult MyAction() 
    // action code here 

Here, the Name parameter specifies the name of the RateLimit policy to use, the Seconds parameter specifies the time window for the rate limit, and the Requests parameter specifies the maximum number of requests allowed in the time window.

With these steps in place, the RateLimit middleware will automatically reject requests that exceed the specified rate limit. Additionally, the middleware will add headers to the response indicating the current rate limit status and the number of remaining requests.

Note that the RateLimit middleware can be configured to use different storage backends for tracking request rates, such as a distributed cache or a database. You can also customize the response behavior for rejected requests, such as returning a specific HTTP status code or redirecting to an error page.

bottom of page