Search
START TYPING AND PRESS ENTER TO SEARCH

Throttling and Rate Limit

/ Django REST Framework Training / By
Next ❯

Throttling & Rate Limiting in DRF

Throttling is like setting a speed limit on how many times someone can use your API in a short period. This helps prevent abuse and keeps your server safe and fast.

1. Preventing API Abuse

Sometimes people (or bots) send too many requests too quickly to your website. That can slow things down or even crash the server. So we use throttling to stop them.

Think of it like this:

  • Logged-in users can make 10 requests per minute

     

  • Non-logged-in (anonymous) users can make 5 requests per minute

2. Enable Throttling in settings.py

REST_FRAMEWORK = {

    ‘DEFAULT_THROTTLE_CLASSES’: [

        ‘rest_framework.throttling.UserRateThrottle’,

        ‘rest_framework.throttling.AnonRateThrottle’,

    ],

    ‘DEFAULT_THROTTLE_RATES’: {

        ‘user’: ’10/minute’,   # Authenticated users

        ‘anon’: ‘5/minute’,    # Unauthenticated users

    },

}

What’s happening here?

  • UserRateThrottle: Limits logged-in users.

  • AnonRateThrottle: Limits guests.

  • Throttle Rates: You set how many requests are allowed (e.g., 10/minute, 100/day, etc.)

Code Explanation:

REST_FRAMEWORK = {

This line starts a dictionary. It’s used to configure Django REST Framework (DRF) settings.

 ‘DEFAULT_THROTTLE_CLASSES’: [

This line defines which throttling classes (rules for rate limiting) will be used in your project.

 ‘rest_framework.throttling.UserRateThrottle’,

👉 This means logged-in users (authenticated) are controlled by the UserRateThrottle class.

  ‘rest_framework.throttling.AnonRateThrottle’,

👉 This means not logged-in users (anonymous) are controlled by the AnonRateThrottle class.

 

   ‘DEFAULT_THROTTLE_RATES’: {

This line starts another dictionary that sets the limits (how many times someone can access the API).

  ‘user’: ’10/minute’,   # Authenticated users

✅ A logged-in user can only make 10 requests per minute.

      ‘anon’: ‘5/minute’,    # Unauthenticated users

✅ A guest user (not logged in) can only make 5 requests per minute.

Summary:

You are telling Django:

    • “I want to control how many API requests users can make.”

    • Logged-in users: 10 per minute.

    • Guests: 5 per minute.

It helps protect your app from spamming or abuse of your API.

3. Custom Throttling (Optional)

Want to control limits for specific views only?

You can create your own throttle class:

books/throttles.py

from rest_framework.throttling import UserRateThrottle

class BookBurstRateThrottle(UserRateThrottle):

    scope = ‘book_burst’

 Then update your settings.py:

REST_FRAMEWORK = {

    ‘DEFAULT_THROTTLE_CLASSES’: [

        ‘rest_framework.throttling.UserRateThrottle’,

        ‘rest_framework.throttling.AnonRateThrottle’,

        ‘books.throttles.BookBurstRateThrottle’,

    ],

    ‘DEFAULT_THROTTLE_RATES’: {

        ‘user’: ’10/minute’,

        ‘anon’: ‘5/minute’,

        ‘book_burst’: ‘3/minute’,  # Custom rule

    },

}

What's happening?

  • You made a custom throttle called book_burst for a specific view.

     

  • It limits the user to 3 requests per minute.

4. Apply Throttle to a Specific View

In your view, you can now attach this custom throttle:

from rest_framework.throttling import AnonRateThrottle

from .throttles import BookBurstRateThrottle

class BookViewSet(viewsets.ModelViewSet):

    …

    throttle_classes = [BookBurstRateThrottle, AnonRateThrottle]

5. Test Your Throttling

Try using Postman or your browser to hit the same API many times quickly.

 

  • If you exceed the limit, you will see:

{

  “detail”: “Request was throttled. Expected available in 60 seconds.”

}

Here you notice request was throttle after sending 10 requests per minute.

That means throttling is working properly!

Summary

  • Purpose: Prevent API abuse by limiting how many requests a user (or guest) can make in a given time.

  • Default Throttles:

    • UserRateThrottle: For logged-in users (e.g., 10 requests/minute).

    • AnonRateThrottle: For anonymous users (e.g., 5 requests/minute).

  • How to Enable:

    • Add DEFAULT_THROTTLE_CLASSES and DEFAULT_THROTTLE_RATES in settings.py.

  • Custom Throttling:

    • Create your own class (e.g., BookBurstRateThrottle).

    • Set a new scope and define its rate in settings.py.

  • Apply to Specific View:

    • Use throttle_classes = [CustomThrottle, …] in your ViewSet.

  • Test it:

    • Send too many requests.

You’ll get a message:
 “Request was throttled. Expected available in X seconds.”

Exercise:

  • Set throttle limits to 3 requests per minute.

  • Make 4 requests quickly from Postman — last one should return:

    • {“detail”: “Request was throttled. Expected available in 60 seconds.”}

Course Video in English

Next ❯

Social Media

Contact Us

  • A/102, Khalil Mansion, Opp Canara Bank, Thane-400612, Maharashtra, India.
View Map
DMCA.com Protection Status

Services

Salesforce CRM
Microsoft dynamic CRM
SharePoint
Certinia
PowerApps and Power Automate
Qlik Sense
Power BI
Nintex
Joget
Zoho Books
Custom application development
RPA UiPath
Angular
Oracle
Website design & development
Magento E-commerce Services
SEO
IT Outsourcing

COMPANY

Copyrights © 2025 All Rights Reserved by iqratechnology.com