Security Tip #78: Laravel 11's Per-Second Rate Limiting

The next Laravel 11 security feature is a breaking charge listed in the upgrade guide, which introduces support for per-second rate limiting. This is an upgrade from the per-minute rate limiting that Laravel has previously supported.

As per the upgrade guide:

Laravel 11 supports per-second rate limiting instead of being limited to per-minute granularity. There are a variety of potential breaking changes you should be aware of related to this change.

(Check out the upgrade guide for the full instructions.)

This change was introduced by the awesome Tim MacDonald, in the Per-second rate limiting PR.

In the PR he explains:

Per-second rate limiting is important to protect and smooth out bursts across a longer time period.

You might allow 100 requests per customer across a whole minute but not want a customer to send 100 requests in a single second, for example.

Rate limiting is an important security control you need to protect your apps from such things as brute-force login attacks, and users abusing resources. It’s essential for authentication routes, or anywhere where a user enters a code or password, and if your application has long-running processes or performs external actions, you’ll most likely have them protected by rate limiting too.

As Tim says in the PR, having rate limiting locked to the minute could still allow an attacker to abuse your application by making all of those requests within the first second. This can be particularly an issue if your app has limited resources, or sees time-based events that attract a lot of attention around specific times.

👉 Looking to dive deeper into Laravel security? Check out Practical Laravel Security, my hands-on security course that uses interactive hacking challenges to teach you about how vulnerabilities work, so you can avoid them in your own code! 🕵️

👉 When was your last security audit or penetration test? Book in a Laravel Security Audit and Penetration Test today! 🕵️