Findings

Missing rate limit headers

Updated: June 19, 2025

findings design based findings api finding

Description

An endpoint is missing rate limit headers in 2xx and 4xx responses.

Remediation

Ensure the appropriate RateLimit-Limit, RateLimit-Reset, X-RateLimit-Limit, and X-Rate-Limit-Limit headers are present in 2xx and 4xx responses. Define proper rate limiting to avoid attackers overloading the API. There are many ways to implement rate-limiting, most of them involve using HTTP headers.

Security Frameworks

OWASP API 2023

API4:2023 Unrestricted Resource Consumption

Satisfying API requests requires resources such as network bandwidth, CPU, memory, and storage. Other resources such as emails/SMS/phone calls or biometrics validation are made available by service providers via API integrations, and paid for per request. Successful attacks can lead to Denial of Service or an increase of operational costs.

OWASP API 2019

API4:2019 Lack of Resources and Rate Limiting

Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.

CIS API Security Guide

CIS-ASG-2.2.4: CIS 2.2.4: Enforce Rate Limiting mechanisms

Enforce rate limiting mechanisms to provide protection from repeated requests that target an endpoint.

Rationale

Enforcing rate limiting mechanisms helps prevent Distributed Denial of Service (DDoS) and brute-force attacks by limiting the number of requests an attacker can make within a given timeframe. This ensures the availability of services for legitimate users and protects server resources from being overwhelmed. Compliance requirements often mandate implementing such measures to enhance security. By maintaining Quality of Service (QoS), rate limiting ensures a consistent and reliable experience for users while mitigating the risk of abuse or exploitation of system resources.

Remediation
  • Update rate-limiting configurations.
  • Implement behavioral rate-limiting based on session and/or IP behavior.
  • Enforce logging and monitoring procedures.
  • Deploy distributed rate limiting (load balancers), CDNs, WAFs, IDS/IPS).
  • Document all actions taken.
Audit
  • Review the application architecture.
  • Analyze existing rate-limiting configurations.
  • Examine the logs.
  • Review regulation compliance and check if it is currently inline with regulations.
  • Evaluate Denial of Service (DoS) resilience.
  • Perform stress tests on existing rate limiting mechanisms.

Need help?

Contact FireTail support

Previous (Findings - Design based findings)
Missing global security
Next (Findings - Design based findings)
Missing retry header