🚦 Rate Limiting Credential Endpoints: Patterns and Implementation
Rate Limiting Credential Endpoints: Patterns and Implementation
Credential-related API endpoints — password generation, password reset, token issuance — are prime targets for abuse. Without proper rate limiting, attackers can enumerate users, brute-force passwords, or drain your CSPRNG entropy pool.
Why Rate Limit Credential Endpoints
Credential endpoints are different from regular API endpoints. They require stricter rate limiting because:
- Brute-force attacks — attackers try thousands of password guesses
- Enumeration attacks — attackers probe whether usernames/emails exist
- Denial of wallet — attackers trigger expensive password generation operations
- Entropy depletion — excessive requests can temporarily degrade random number generation
Rate Limiting Strategies
1. Token Bucket Algorithm
The most widely used pattern for API rate limiting. Each client gets a bucket that refills at a fixed rate.
import time
from collections import defaultdict
class TokenBucket:
def __init__(self, rate, capacity):
self.rate = rate # tokens per second
self.capacity = capacity
self.tokens = defaultdict(lambda: {'count': capacity, 'time': time.time()})
def consume(self, key, tokens=1):
now = time.time()
bucket = self.tokens[key]
# Refill tokens based on elapsed time
elapsed = now - bucket['time']
bucket['count'] = min(self.capacity, bucket['count'] + elapsed * self.rate)
bucket['time'] = now
if bucket['count'] >= tokens:
bucket['count'] -= tokens
return True
return False
2. Sliding Window Log
Tracks request timestamps within a moving window. More memory-intensive but more accurate than fixed windows.
3. Per-Endpoint vs Per-Client
- Per-IP: Simple but catches legitimate users behind NAT
- Per-API-Key: More accurate for authenticated endpoints
- Per-Endpoint: Different limits for /generate vs /validate vs /reset
Recommended Limits for Credential Endpoints
| Endpoint | Limit | Rationale |
|---|---|---|
| POST /api/generate | 30 req/min | Password generation is computationally light |
| POST /api/validate | 60 req/min | Quick checks, but abuse potential |
| POST /api/reset | 3 req/min per user | Password reset abuse is common |
| GET /api/lookup | 10 req/min | User enumeration risk |
HTTP Headers for Rate Limiting
X-RateLimit-Limit: 30
X-RateLimit-Remaining: 28
X-RateLimit-Reset: 1620000000
Retry-After: 5
When a client exceeds the limit, return HTTP 429 Too Many Requests with a meaningful error message and a Retry-After header.
Implementation: Production-Ready Middleware
For Node.js, use express-rate-limit. For Python, use slowapi with FastAPI. For Go, use the rate package from the standard library.
Monitoring and Alerting
Track rate limit hits as a security metric. A sudden spike in 429 responses may indicate an active attack. Set up alerts when any single client hits rate limits for multiple endpoints within a short time window. For end-to-end credential security, Bitwarden offers open-source password management that integrates seamlessly with your existing infrastructure.