Pattern: API rate limiting strategies

APIs without rate limiting are vulnerable to abuse, DDoS, and resource exhaustion. Need to limit request rates per user/IP.

Implement rate limiting with proper UX:

# Server-side implementation (Express/Koa):
from collections import defaultdict
import time

class SlidingWindowRateLimiter:
def __init__(self, max_requests, window_seconds):
self.max_requests = max_requests
self.window = window_seconds
self.requests = defaultdict(list)

def is_allowed(self, key):
now = time.time()
window_start = now - self.window

# Remove old entries
self.requests[key] = [
t for t in self.requests[key] if t > window_start
]

if len(self.requests[key]) >= self.max_requests:
return False

self.requests[key].append(now)
return True

# Response headers (standard):
# X-RateLimit-Limit: 100
# X-RateLimit-Remaining: 42
# X-RateLimit-Reset: 1609459200 (Unix timestamp)
# Retry-After: 30 (seconds, on 429)

# Rate limit tiers:
# - Per IP: prevent abuse from single source
# - Per API key: enforce plan limits
# - Per endpoint: protect expensive operations
# - Global: prevent system overload

# Client-side handling:
# async function fetchWithRetry(url) {
# const res = await fetch(url);
# if (res.status === 429) {
# const retryAfter = res.headers.get('Retry-After') || 60;
# await sleep(retryAfter * 1000);
# return fetchWithRetry(url);
# }
# return res;
# }

Rate limiting protects your API from abuse and ensures fair usage. Sliding window is smoother than fixed window (no boundary burst).