Using Laravel 11 Rate Limiting: Custom, Global, Segmented, and Redis‑Based Limits

Laravel 11 includes a built‑in rate‑limiting service that can restrict the number of requests a user may make per second or minute, helping prevent abuse and keep applications stable.

1. Custom limiter – Define a named limiter in App\Providers\AppServiceProvider::boot() using the RateLimiter::for() method and return a Limit::perMinute(60) keyed by the authenticated user ID or IP address.

by($request->user()?->id ?: $request->ip());
    });
}

2. Global limiter – A limiter named global can be set to allow 1 000 requests per minute and optionally return a custom 429 response.

response(function (Request $request, array $headers) {
        return response('Custom response...', 429, $headers);
    });
});

3. Segmented limiting – Use the by() method to apply different limits based on user authentication or IP address, e.g., 100 requests per minute for logged‑in users and 10 for guests.

user()
        ? Limit::perMinute(100)->by($request->user()->id)
        : Limit::perMinute(10)->by($request->ip());
});

4. Multiple limits – Return an array of Limit objects to enforce several constraints on the same route, such as 500 requests per minute for a login name and 3 per minute for the email parameter.

by($request->input('email')),
    ];
});

5. Redis‑backed limiting – When the application uses Redis as the cache driver, replace the default throttle middleware with throttleWithRedis() or the ThrottleRequestsWithRedis class to store counters in Redis.

group(function () {
    // routes here
});

Finally, attach a limiter to routes or route groups using the throttle middleware, e.g., Route::middleware(['throttle:uploads'])->group(...) . For more configurations, refer to the official Laravel documentation.