Skip to content

kdahlhaus/django-ratelimit

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

19 Commits
ratelimit
ratelimit
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
MANIFEST.in
MANIFEST.in
 
 
README.rst
README.rst
 
 
setup.py
setup.py
 
 

Repository files navigation

Django Ratelimit

Django Ratelimit provides a decorator to rate-limit views. Limiting can be based on IP address or a field in the request--either a GET or POST variable.

If the rate limit is exceded, either a 403 Forbidden can be sent, or the request can be annotated with a limited attribute, allowing you to take another action like adding a captcha to a form.

Using Django Ratelimit

from ratelimit.decorators import ratelimit is the biggest thing you need to do. The @ratelimit decorator provides several optional arguments with sensible defaults (in italics).

ip:
Whether to rate-limit based on the IP. True
block:
Whether to block the request instead of annotating. False
method:
Which HTTP method(s) to rate-limit. May be a string, a list/tuple, or None for all methods. None
field:
Which HTTP field(s) to use to rate-limit. May be a string or a list. none
rate:
The number of requests per unit time allowed. 5/m
error_message:
Optional error message passed to the 403 exception. This will be passed.

from ratelimit.decorators import clear can be called to reset the limiting for a given ip=True/False, field combination. While it is in the decorator module, it is not a decorator.

Examples

@ratelimit()
def myview(request):
    # Will be true if the same IP makes more than 5 requests/minute.
    was_limited = getattr(request, 'limited', False)
    return HttpResponse()

@ratelimit(block=True)
def myview(request):
    # If the same IP makes >5 reqs/min, will return HttpResponseForbidden
    return HttpResponse()

@ratelimit(field='username')
def login(request):
    # If the same username OR IP is used >5 times/min, this will be True.
    # The `username` value will come from GET or POST, determined by the
    # request method.
    was_limited = getattr(request, 'limited', False)
    return HttpResponse()

@ratelimit(method='POST')
def login(request):
    # Only apply rate-limiting to POSTs.
    return HttpResponseRedirect()

@ratelimit(field=['username', 'other_field'])
def login(request):
    # Use multiple field values.
    return HttpResponse()

@ratelimit(rate='4/h')
def slow(request):
    # Allow 4 reqs/hour.
    return HttpResponse()

@ratelimit(field='username')
def login(request):
    # If the same username OR IP is used >5 times/min, this will be True.
    # The `username` value will come from GET or POST, determined by the
    # request method.
    was_limited = getattr(request, 'limited', False)

    # if user logged in OK:
    clear(field='username')

    return HttpResponse()

Acknowledgements

I would be remiss not to mention Simon Willison's ratelimitcache, on which this is largely based.

About

Cache-based rate-limiting for Django

Resources

Readme

License

BSD-3-Clause license
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 100.0%