rate limiting, should it be per IP address or per user ID?
Fabienne Dubois
·2917 views
Hey everyone, I'm considering adding rate limiting to a new service we're building. We want to stop abuse and make sure everyone gets a fair shot at using it. The main thing I'm wrestling with is whether to track limits by the client's IP address or by their User ID once they're logged in. See, IP addresses can be shared, especially in places like office networks or with CGNAT. That makes it tough to limit things fairly for each person. But, if we only use User ID, we might miss out on catching bot traffic from people who aren't even logged in. What do you all think? Any good strategies or common mistakes I should be aware of with this?
30 comments