Using Laravel 11 Rate Limiting: Custom, Global, Segmented, and Redis‑Based Limits
This article explains how Laravel 11's built‑in rate‑limiting service can be configured with custom, global, segmented, and Redis‑backed limits, showing code examples for defining limiters, custom responses, multiple constraints, and applying them to routes via middleware.
Laravel 11 includes a built‑in rate‑limiting service that can restrict the number of requests a user may make per second or minute, helping prevent abuse and keep applications stable.
1. Custom limiter – Define a named limiter in App\Providers\AppServiceProvider::boot() using the RateLimiter::for() method and return a Limit::perMinute(60) keyed by the authenticated user ID or IP address.
<?php
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Http\Request;
use Illuminate\Support\Facades\RateLimiter;
protected function boot(): void
{
RateLimiter::for('api', function (Request $request) {
return Limit::perMinute(60)->by($request->user()?->id ?: $request->ip());
});
}2. Global limiter – A limiter named global can be set to allow 1 000 requests per minute and optionally return a custom 429 response.
<?php
RateLimiter::for('global', function (Request $request) {
return Limit::perMinute(1000)->response(function (Request $request, array $headers) {
return response('Custom response...', 429, $headers);
});
});3. Segmented limiting – Use the by() method to apply different limits based on user authentication or IP address, e.g., 100 requests per minute for logged‑in users and 10 for guests.
<?php
RateLimiter::for('uploads', function (Request $request) {
return $request->user()
? Limit::perMinute(100)->by($request->user()->id)
: Limit::perMinute(10)->by($request->ip());
});4. Multiple limits – Return an array of Limit objects to enforce several constraints on the same route, such as 500 requests per minute for a login name and 3 per minute for the email parameter.
<?php
RateLimiter::for('login', function (Request $request) {
return [
Limit::perMinute(500),
Limit::perMinute(3)->by($request->input('email')),
];
});5. Redis‑backed limiting – When the application uses Redis as the cache driver, replace the default throttle middleware with throttleWithRedis() or the ThrottleRequestsWithRedis class to store counters in Redis.
<?php
// Directly on a route
Route::middleware(['throttleWithRedis'])->group(function () {
// routes here
});Finally, attach a limiter to routes or route groups using the throttle middleware, e.g., Route::middleware(['throttle:uploads'])->group(...). For more configurations, refer to the official Laravel documentation.
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.