About

Styles

Contact

This is a short summary of the page's content that appears in search engine results. Learn how to implement robust API rate limiting in .NET 8 with ASP.NET Core's built-in middleware. This guide covers fixed window, sliding window, and token bucket algorithms with practical C# code examples to protect your Web APIs.

API Rate Limiting in .NET 8

User avatar placeholder
Written by Muhammad Talha

August 17, 2025

Controlling how often users can call your API is crucial for maintaining stability, ensuring fair usage, and protecting your services from abuse. This is where rate limiting comes in. With the release of .NET 7 and its enhancement in .NET 8, implementing robust rate limiting in your ASP.NET Core applications has never been easier, thanks to powerful built-in middleware. Let’s dive in! 🚀

What is API Rate Limiting?

API rate limiting is a strategy for controlling the amount of incoming traffic to an API. It restricts the number of requests a user can make within a specific time window. Why is this so important?

  • Prevents Abuse: It stops malicious actors from overwhelming your API with requests, such as in Denial-of-Service (DoS) attacks.
  • Ensures Fair Usage: It ensures that no single user can monopolize server resources, providing a better experience for everyone.
  • Manages Costs: For APIs that rely on paid services, rate limiting can help control operational costs.
  • Maintains Performance: It helps your application remain responsive and stable under heavy load.

Getting Started with .NET 8 Rate Limiting

The rate limiting middleware in ASP.NET Core is flexible and easy to configure. You can set it up globally or apply it to specific endpoints.

1. Installation

First, ensure you have the necessary package. While the core middleware is part of the framework, you’ll typically manage it within your web projects. The main functionality resides in the Microsoft.AspNetCore.RateLimiting namespace.

2. Basic Configuration in Program.cs

You configure rate limiting services in your Program.cs file. The process involves two main steps: adding the rate limiting services and then enabling the middleware.

Here’s a basic setup using a fixed window limiter. This algorithm allows a certain number of requests within a fixed time window.

C#

using System.Threading.RateLimiting;
using Microsoft.AspNetCore.RateLimiting;

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddControllers();

// 1. Add Rate Limiter services
builder.Services.AddRateLimiter(options =>
{
    options.AddFixedWindowLimiter(policyName: "fixed", fixedWindowOptions =>
    {
        fixedWindowOptions.PermitLimit = 5; // Allow 5 requests
        fixedWindowOptions.Window = TimeSpan.FromSeconds(10); // Per 10 seconds
        fixedWindowOptions.QueueProcessingOrder = QueueProcessingOrder.OldestFirst;
        fixedWindowOptions.QueueLimit = 2; // Queue up to 2 requests if the limit is reached
    });

    // This status code is returned when a request is rejected.
    options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
});


var app = builder.Build();

// 2. Use the Rate Limiter middleware
app.UseRateLimiter();

// ... other middleware

app.UseAuthorization();
app.MapControllers();
app.Run();

3. Applying Rate Limiting Policies

Once configured, you can apply your policies.

Globally

To apply a rate limit to all requests, you can use app.UseRateLimiter(), as shown above. To make a specific policy the default for all endpoints that require it, you can define it within the AddRateLimiter configuration.

Per Endpoint

A more common scenario is applying different limits to different endpoints. You can achieve this using the RequireRateLimiting attribute on your controller actions or the RequireRateLimiting() extension method with minimal APIs.

C#

using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.RateLimiting;

[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
{
    // This endpoint will be protected by the "fixed" policy we defined.
    [HttpGet(Name = "GetWeatherForecast")]
    [EnableRateLimiting("fixed")]
    public IEnumerable<WeatherForecast> Get()
    {
        // ... implementation
    }
}

Exploring Different Rate Limiting Algorithms

.NET 8 provides several built-in algorithms to suit different needs.

Fixed Window

As seen above, this is the simplest algorithm. It allows a set number of requests in a time window. The counter resets at the end of each window. Good for general-purpose limiting.

Sliding Window

This is more complex and fairer than the fixed window. It considers a sliding window of time. For example, a limit of 100 requests per minute is checked over the last 60 seconds, not a fixed minute block. This prevents a burst of requests at the edge of two windows.

C#

// In Program.cs
options.AddSlidingWindowLimiter(policyName: "sliding", slidingWindowOptions =>
{
    slidingWindowOptions.PermitLimit = 15;
    slidingWindowOptions.Window = TimeSpan.FromSeconds(15);
    slidingWindowOptions.SegmentsPerWindow = 3; // Divides the window into 3 segments
});

Token Bucket

Imagine a bucket filled with tokens. Each request takes one token. The bucket is refilled at a constant rate. If the bucket is empty, requests are rejected. This allows for bursts of traffic as long as tokens are available.

C#

// In Program.cs
options.AddTokenBucketLimiter(policyName: "token", tokenBucketOptions =>
{
    tokenBucketOptions.TokenLimit = 100; // Max tokens in the bucket
    tokenBucketOptions.QueueLimit = 0;
    tokenBucketOptions.ReplenishmentPeriod = TimeSpan.FromMinutes(1);
    tokenBucketOptions.TokensPerPeriod = 60; // Refill 60 tokens every minute
});

Concurrency

This limiter doesn’t care about time, only about the number of concurrent requests. It’s useful for protecting resources that can only handle a certain number of simultaneous operations, like database connections.

C#

// In Program.cs
options.AddConcurrencyLimiter(policyName: "concurrency", concurrencyOptions =>
{
    concurrencyOptions.PermitLimit = 10; // Only 10 concurrent requests allowed
});

Advanced: Partitioning by User or IP

A global rate limit isn’t always useful. You typically want to limit requests per user or per IP address. You can achieve this by partitioning the rate limit. The HttpContext gives you access to all the information you need.

Here’s how you can create a fixed window policy partitioned by the client’s IP address:

C#

// In Program.cs
builder.Services.AddRateLimiter(options =>
{
    options.AddFixedWindowLimiter("fixed-by-ip", opt =>
    {
        opt.PermitLimit = 10;
        opt.Window = TimeSpan.FromSeconds(10);
    })
    // The key part is using a partitioner
    .OnRejected = (context, token) =>
    {
        // You can log rejected requests here
        return new ValueTask();
    };
});

Wait, the above example is incomplete. The partitioning happens within the policy definition. Let’s correct that.

Here’s a proper example of partitioning by IP address:

C#

// In Program.cs
builder.Services.AddRateLimiter(options =>
{
    options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(httpContext =>
    {
        // Use the IP address as the partition key
        var ipAddress = httpContext.Connection.RemoteIpAddress?.ToString();
        
        return RateLimitPartition.GetFixedWindowLimiter(
            partitionKey: ipAddress ?? "unknown",
            factory: partition => new FixedWindowRateLimiterOptions
            {
                PermitLimit = 10,
                Window = TimeSpan.FromSeconds(10)
            });
    });

    options.RejectionStatusCode = StatusCodes.Status429TooManyRequests;
});

// ...

var app = builder.Build();
app.UseRateLimiter(); // Apply the global limiter

This configuration creates a separate fixed window limiter for each unique IP address, which is exactly what you need for fair and effective rate limiting.

Conclusion

The built-in rate limiting middleware in .NET 8 is a powerful, flexible, and essential tool for building secure and reliable Web APIs. By choosing the right algorithm and partitioning strategy, you can protect your services from abuse and ensure a high-quality experience for all your users. It’s easy to set up, highly configurable, and a must-have for any production-level API.

Meta Keywords

.NET 8, ASP.NET Core, API Rate Limiting, Web API, Security, Middleware, C#, .NET Core, Rate Limiting Algorithms, Fixed Window, Sliding Window, Token Bucket, Concurrency Limiter, API Protection, DoS Protection

Meta Description

Learn how to implement robust API rate limiting in .NET 8 with ASP.NET Core's built-in middleware. This guide covers fixed window, sliding window, token bucket, and concurrency algorithms with practical C# code examples to protect your Web APIs from abuse and ensure stability.

Meta Tags (HTML)

HTML

<meta name="keywords" content=".NET 8, ASP.NET Core, API Rate Limiting, Web API, Security, Middleware, C#, .NET Core, Rate Limiting Algorithms, Fixed Window, Sliding Window, Token Bucket, Concurrency Limiter, API Protection, DoS Protection">
<meta name="description" content="Learn how to implement robust API rate limiting in .NET
Image placeholder

Lorem ipsum amet elit morbi dolor tortor. Vivamus eget mollis nostra ullam corper. Pharetra torquent auctor metus felis nibh velit. Natoque tellus semper taciti nostra. Semper pharetra montes habitant congue integer magnis.

Business Automation

The Dawn of the AI Workforce: How Autonomous Agents are Building the Software of Tomorrow

Leave a Comment