Rate Limiting & Brute Force Protection

Rate limiting protects your API and login endpoints from abuse. Without it, attackers can brute-force passwords, scrape data, or overwhelm your server. Django provides tools and packages for implementing rate limits.

15 min•By Priygop Team•Updated 2026

Rate Limiting Approaches

DRF Throttling â€” Built-in rate limiting for APIs
django-ratelimit â€” Decorator-based rate limiting
django-axes â€” Track and block failed login attempts
Login attempt limiting â€” Block after N failed attempts
IP-based and user-based throttling
Use Redis or Memcached for distributed rate limiting
Return 429 Too Many Requests when limit exceeded

Rate Limiting Example

# DRF Throttling (APIs)
# settings.py
# REST_FRAMEWORK = {
#     'DEFAULT_THROTTLE_RATES': {
#         'anon': '100/hour',
#         'user': '1000/hour',
#         'login': '5/minute',
#     },
# }

# django-axes â€” Brute force protection
# pip install django-axes

# settings.py
# INSTALLED_APPS = [..., 'axes']
# AUTHENTICATION_BACKENDS = [
#     'axes.backends.AxesStandaloneBackend',
#     'django.contrib.auth.backends.ModelBackend',
# ]
# MIDDLEWARE = [
#     ...
#     'axes.middleware.AxesMiddleware',
# ]
# AXES_FAILURE_LIMIT = 5        # Lock after 5 failed attempts
# AXES_COOLOFF_TIME = 1         # Lock for 1 hour
# AXES_LOCK_OUT_BY_COMBINATION_USER_AND_IP = True
# AXES_RESET_ON_SUCCESS = True  # Reset counter on successful login

# Custom rate limiting with django-ratelimit
# pip install django-ratelimit
# from django_ratelimit.decorators import ratelimit

# @ratelimit(key='ip', rate='5/m', method='POST')
# def login_view(request):
#     was_limited = getattr(request, 'limited', False)
#     if was_limited:
#         return HttpResponse('Too many attempts. Try again later.', status=429)
#     # ... login logic

Tip

Implement login rate limiting to prevent brute force attacks. Use django-axes or custom middleware with exponential backoff.

Diagram

Loading diagram…

429 + Retry-After. Use Redis for distributed.

Common Mistake

Warning

Not implementing account lockout after failed login attempts. Attackers can brute-force passwords indefinitely.

Practice Task

Note

(1) Implement login rate limiting. (2) Add CAPTCHA after 3 failures. (3) Log failed attempts for monitoring.

Quick Quiz

Key Takeaways

Rate limiting protects your API and login endpoints from abuse.
DRF Throttling â€” Built-in rate limiting for APIs
django-ratelimit â€” Decorator-based rate limiting
django-axes â€” Track and block failed login attempts

Topics in This Module

Rate Limiting Approaches

DRF Throttling â€” Built-in rate limiting for APIs

django-ratelimit â€” Decorator-based rate limiting

django-axes â€” Track and block failed login attempts

IP-based and user-based throttling

Use Redis or Memcached for distributed rate limiting

Return 429 Too Many Requests when limit exceeded