In addition to this, the built-in throttling implementations are implemented using Django's cache framework, and use non-atomic operations to determine the request rate, which may sometimes result in some fuzziness. Deliberately malicious actors will always be able to spoof IP origins. **The application-level throttling that REST framework provides should not be considered a security measure or protection against brute forcing or denial-of-service attacks. For example a storage service might also need to throttle against bandwidth, and a paid data service might want to throttle against a certain number of a records being accessed. Throttles do not necessarily only refer to rate-limiting requests. For example, you might want to limit a user to a maximum of 60 requests per minute, and 1000 requests per day. Multiple throttles can also be used if you want to impose both burst throttling rates, and sustained throttling rates. Your API might have a restrictive throttle for unauthenticated requests, and a less restrictive throttle for authenticated requests.Īnother scenario where you might want to use multiple throttles would be if you need to impose different constraints on different parts of the API, due to some services being particularly resource-intensive. Throttles indicate a temporary state, and are used to control the rate of requests that clients can make to an API.Īs with permissions, multiple throttles may be used. Throttling is similar to permissions, in that it determines if a request should be authorized.
0 Comments
Leave a Reply. |