CakePHP
  • Documentation
    • Book
    • API
    • Videos
    • Reporting Security Issues
    • Privacy Policy
    • Logos & Trademarks
  • Business Solutions
  • Swag
  • Road Trip
  • Team
  • Community
    • Community
    • Get Involved
    • Issues (Github)
    • Bakery
    • Featured Resources
    • Training
    • Meetups
    • My CakePHP
    • CakeFest
    • Newsletter
    • Linkedin
    • YouTube
    • Facebook
    • Twitter
    • Mastodon
    • Help & Support
    • Forum
    • Stack Overflow
    • IRC
    • Slack
    • Paid Support
CakePHP

C CakePHP 5.3 Chiffon API

  • Project:
    • CakePHP
      • CakePHP
      • Authentication
      • Authorization
      • Chronos
      • Elastic Search
      • Queue
  • Version:
    • 5.3
      • 5.3
      • 5.2
      • 5.1
      • 5.0
      • 4.6
      • 4.5
      • 4.4
      • 4.3
      • 4.2
      • 4.1
      • 4.0
      • 3.10
      • 3.9
      • 3.8
      • 3.7
      • 3.6
      • 3.5
      • 3.4
      • 3.3
      • 3.2
      • 3.1
      • 3.0
      • 2.10
      • 2.9
      • 2.8
      • 2.7
      • 2.6
      • 2.5
      • 2.4
      • 2.3
      • 2.2
      • 2.1
      • 2.0
      • 1.3
      • 1.2

Namespaces

  • Global
  • Cake
    • Cache
    • Collection
    • Command
    • Console
    • Controller
    • Core
    • Database
    • Datasource
    • Error
    • Event
    • Form
    • Http
      • Client
      • Cookie
      • Exception
      • Middleware
      • RateLimit
      • Session
      • TestSuite
    • I18n
    • Log
    • Mailer
    • Network
    • ORM
    • Routing
    • TestSuite
    • Utility
    • Validation
    • View

Class RateLimitMiddleware

Rate limiting middleware

Provides configurable rate limiting based on various identifiers. Supports multiple strategies including sliding window, token bucket, and fixed window.

Namespace: Cake\Http\Middleware

Constants

  • IDENTIFIER_API_KEY ¶ 
    'api_key'

    Identifier type: API key from token headers

  • IDENTIFIER_IP ¶ 
    'ip'

    Identifier type: client IP address

  • IDENTIFIER_ROUTE ¶ 
    'route'

    Identifier type: route (controller/action)

  • IDENTIFIER_TOKEN ¶ 
    'token'

    Identifier type: token (alias for API key)

  • IDENTIFIER_USER ¶ 
    'user'

    Identifier type: authenticated user

  • STRATEGY_FIXED_WINDOW ¶ 
    'fixed_window'

    Strategy: fixed window rate limiting

  • STRATEGY_SLIDING_WINDOW ¶ 
    'sliding_window'

    Strategy: sliding window rate limiting

  • STRATEGY_TOKEN_BUCKET ¶ 
    'token_bucket'

    Strategy: token bucket rate limiting

Property Summary

  • $config protected
    array<string, mixed>

    Configuration

  • $defaultConfig protected
    array<string, mixed>

    Default configuration

Method Summary

  • __construct() public

    Constructor

  • addRateLimitHeaders() protected

    Add rate limit headers to response

  • generateKey() protected

    Generate cache key for rate limiting

  • getApiKeyIdentifier() protected

    Get API key/token identifier

  • getClientIp() protected

    Get client IP address

  • getCost() protected

    Get the cost of the request

  • getIdentifier() protected

    Get the identifier for rate limiting

  • getIdentifierByType() protected

    Get identifier by type

  • getLimit() protected

    Get rate limit for the request

  • getRateLimiter() protected

    Get rate limiter instance based on strategy

  • getRouteIdentifier() protected

    Get route identifier

  • getUserIdentifier() protected

    Get user identifier

  • process() public

    Process the request and add rate limiting

  • resolveLimiterConfig() protected

    Resolve limiter configuration for the current request

  • shouldSkip() protected

    Check if rate limiting should be skipped for this request

Method Detail

__construct() ¶ public 

__construct(array<string, mixed> $config = [])

Constructor

Parameters
array<string, mixed> $config optional

Configuration options

addRateLimitHeaders() ¶ protected 

addRateLimitHeaders(Psr\Http\Message\ResponseInterface $response, array<string, mixed> $result): Psr\Http\Message\ResponseInterface

Add rate limit headers to response

Parameters
Psr\Http\Message\ResponseInterface $response

The response

array<string, mixed> $result

Rate limit result

Returns
Psr\Http\Message\ResponseInterface

generateKey() ¶ protected 

generateKey(string $identifier, Psr\Http\Message\ServerRequestInterface $request): string

Generate cache key for rate limiting

Parameters
string $identifier

The identifier

Psr\Http\Message\ServerRequestInterface $request

The request

Returns
string

getApiKeyIdentifier() ¶ protected 

getApiKeyIdentifier(Psr\Http\Message\ServerRequestInterface $request): string

Get API key/token identifier

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request

Returns
string

getClientIp() ¶ protected 

getClientIp(Psr\Http\Message\ServerRequestInterface $request): string

Get client IP address

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request

Returns
string

getCost() ¶ protected 

getCost(Psr\Http\Message\ServerRequestInterface $request): int

Get the cost of the request

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request

Returns
int

getIdentifier() ¶ protected 

getIdentifier(Psr\Http\Message\ServerRequestInterface $request): string

Get the identifier for rate limiting

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request

Returns
string

getIdentifierByType() ¶ protected 

getIdentifierByType(string $type, Psr\Http\Message\ServerRequestInterface $request): string

Get identifier by type

Parameters
string $type

The identifier type

Psr\Http\Message\ServerRequestInterface $request

The request

Returns
string

getLimit() ¶ protected 

getLimit(Psr\Http\Message\ServerRequestInterface $request, string $identifier): int

Get rate limit for the request

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request

string $identifier

The identifier

Returns
int

getRateLimiter() ¶ protected 

getRateLimiter(array<string, mixed> $limiterConfig = []): Cake\Http\RateLimit\RateLimiterInterface

Get rate limiter instance based on strategy

Parameters
array<string, mixed> $limiterConfig optional

Optional limiter configuration override

Returns
Cake\Http\RateLimit\RateLimiterInterface

getRouteIdentifier() ¶ protected 

getRouteIdentifier(Psr\Http\Message\ServerRequestInterface $request): string

Get route identifier

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request

Returns
string

getUserIdentifier() ¶ protected 

getUserIdentifier(Psr\Http\Message\ServerRequestInterface $request): string

Get user identifier

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request

Returns
string

process() ¶ public 

process(ServerRequestInterface $request, RequestHandlerInterface $handler): Psr\Http\Message\ResponseInterface

Process the request and add rate limiting

Processes an incoming server request in order to produce a response. If unable to produce the response itself, it may delegate to the provided request handler to do so.

Parameters
ServerRequestInterface $request

The request

RequestHandlerInterface $handler

The handler

Returns
Psr\Http\Message\ResponseInterface

resolveLimiterConfig() ¶ protected 

resolveLimiterConfig(Psr\Http\Message\ServerRequestInterface $request): array<string, mixed>

Resolve limiter configuration for the current request

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request

Returns
array<string, mixed>

shouldSkip() ¶ protected 

shouldSkip(Psr\Http\Message\ServerRequestInterface $request): bool

Check if rate limiting should be skipped for this request

Parameters
Psr\Http\Message\ServerRequestInterface $request

The request

Returns
bool

Property Detail

$config ¶ protected

Configuration

Type
array<string, mixed>

$defaultConfig ¶ protected

Default configuration

  • limit: Maximum number of requests allowed (default: 60)
  • window: Time window in seconds for rate limiting (default: 60)
  • identifier: How to identify clients - use IDENTIFIER_* constants (default: IDENTIFIER_IP)
  • strategy: Rate limiting strategy - use STRATEGY_* constants (default: STRATEGY_SLIDING_WINDOW)
  • strategyClass: Fully qualified class name of rate limiter strategy. Takes precedence over strategy option
  • cache: Cache configuration name to use (default: 'default')
  • headers: Whether to add rate limit headers to response (default: true)
  • message: Error message when rate limit is exceeded
  • skipCheck: Closure|null to determine if rate limiting should be skipped for a request
  • costCallback: Closure|null to calculate custom cost for requests (default: 1 per request)
  • identifierCallback: Closure|null to generate custom identifier, overrides identifier option
  • limitCallback: Closure|null to determine dynamic limits based on request/identifier
  • ipHeader: Header name(s) to check for client IP (default: 'x-forwarded-for')
  • includeRetryAfter: Whether to include Retry-After header (default: true)
  • keyGenerator: Closure|null to generate custom cache keys for rate limiting
  • tokenHeaders: Array of headers to check for API tokens (default: ['Authorization', 'X-API-Key'])
  • limiters: Named limiter configurations for different routes/contexts
  • limiterResolver: Closure|null to resolve which named limiter to use for a request
Type
array<string, mixed>
OpenHub
Pingping
Linode
  • Business Solutions
  • Showcase
  • Documentation
  • Book
  • API
  • Videos
  • Reporting Security Issues
  • Privacy Policy
  • Logos & Trademarks
  • Community
  • Get Involved
  • Issues (Github)
  • Bakery
  • Featured Resources
  • Training
  • Meetups
  • My CakePHP
  • CakeFest
  • Newsletter
  • Linkedin
  • YouTube
  • Facebook
  • Twitter
  • Mastodon
  • Help & Support
  • Forum
  • Stack Overflow
  • IRC
  • Slack
  • Paid Support

Generated using CakePHP API Docs