Wolverine

Appearance

The search box in the website knows all the secrets—try it!

For any queries, join our Discord Channel to reach us faster.

JasperFx Logo

JasperFx provides formal support for Wolverine and other JasperFx libraries. Please check our Support Plans for more details.

Rate Limiting

Wolverine.HTTP endpoints are standard ASP.NET Core endpoints, so ASP.NET Core's built-in rate limiting middleware works directly with no additional Wolverine-specific setup required.

Setup

First, register the rate limiting services and define one or more rate limiting policies in your application's service configuration:

cs
builder.Services.AddRateLimiter(options =>
{
    options.AddFixedWindowLimiter("fixed", opt =>
    {
        opt.PermitLimit = 1;
        opt.Window = TimeSpan.FromSeconds(10);
        opt.QueueLimit = 0;
    });
    options.RejectionStatusCode = 429;
});

snippet source | anchor

Then add the rate limiting middleware to the request pipeline. This must be placed before MapWolverineEndpoints():

cs
app.UseRateLimiter();

snippet source | anchor

Per-Endpoint Rate Limiting

Apply the [EnableRateLimiting] attribute to individual Wolverine.HTTP endpoints to enforce a named rate limiting policy:

cs
[WolverineGet("/api/rate-limited")]
[EnableRateLimiting("fixed")]
public static string GetRateLimited()
{
    return "OK";
}

snippet source | anchor

When the rate limit is exceeded, the middleware returns a 429 Too Many Requests response automatically.

Disabling Rate Limiting

If you have a global rate limiting policy applied, you can opt specific endpoints out using the [DisableRateLimiting] attribute:

cs
[WolverineGet("/api/health")]
[DisableRateLimiting]
public static string HealthCheck()
{
    return "Healthy";
}

Global Rate Limiting

You can apply a global rate limiting policy that applies to all endpoints by using a global limiter instead of (or in addition to) named policies:

cs
builder.Services.AddRateLimiter(options =>
{
    options.GlobalLimiter = PartitionedRateLimiter.Create<HttpContext, string>(context =>
        RateLimitPartition.GetFixedWindowLimiter(
            partitionKey: context.Connection.RemoteIpAddress?.ToString() ?? "unknown",
            factory: _ => new FixedWindowRateLimiterOptions
            {
                PermitLimit = 100,
                Window = TimeSpan.FromMinutes(1),
                QueueLimit = 0
            }));
    options.RejectionStatusCode = 429;
});

Applying Rate Limiting via ConfigureEndpoints

You can use Wolverine's ConfigureEndpoints() to apply rate limiting metadata to all Wolverine.HTTP endpoints programmatically:

cs
app.MapWolverineEndpoints(opts =>
{
    opts.ConfigureEndpoints(httpChain =>
    {
        // Apply rate limiting to all Wolverine endpoints
        httpChain.WithMetadata(new EnableRateLimitingAttribute("fixed"));
    });
});

Available Rate Limiting Algorithms

ASP.NET Core provides several built-in rate limiting algorithms:

  • Fixed window -- limits requests in fixed time intervals
  • Sliding window -- uses a sliding time window for smoother rate limiting
  • Token bucket -- allows bursts of traffic up to a configured limit
  • Concurrency -- limits the number of concurrent requests

See the ASP.NET Core rate limiting documentation for full details on each algorithm and advanced configuration options.

Released under the MIT License.

Copyright © Jeremy D. Miller and contributors.