Context
In order to guarantee a quality of service to all clients, our Web Application Firewall (WAF) implements rate limiting rules to control the number of requests per minute per IP address.
Functionality
Our rate limiting mechanism employs a maximum limit of 900 requests per minute per IP. The WAF checks the rate of requests every 30 seconds and evaluates the request count for the prior 5 minutes during each check. It's important to note that due to this periodic evaluation, there may be a delay of up to 30 seconds before the WAF detects and enforces rate limits for an endpoint that is receiving requests at a high rate. Similarly, if the request rate falls below the limit, it may take up to 30 seconds for the WAF to detect the decrease and discontinue rate limiting for the endpoint.
When the rate limit is exceeded, the client will receive a response indicating a rate limit has been enforced. This is indicated by the presence of the "WAF: Rate-Limit" header in the response. Additionally, the HTTP status code 429 - Too Many Requests will be returned.
Rate Limit value is dynamic
Please note that the value of the rate limit can be subject to change at any time without prior notice. We reserve the right to modify the rules and values of rate limiting in order to provide an optimal user experience.
Example
If a client sends requests at a rate higher than 900 requests per minute from a specific IP address, there is a possibility that the WAF may take up to 30 seconds to detect and enforce the rate limit for that endpoint. During this time, the requests may continue to be processed. However, once the WAF detects the high rate of requests, it will respond with the "WAF: Rate-Limit" header and the status code 429 - Too Many Requests, indicating that the rate limit has been exceeded and the client should reduce the number of requests sent within the specified time frame.
Similarly, if the request rate falls below the limit, it may take up to 30 seconds for the WAF to detect the decrease and discontinue rate limiting for the endpoint. Once the WAF detects the decrease, the rate limit enforcement will be lifted, allowing the client to send requests at the normal rate without encountering rate limit responses