Rate limiting algorithms for client-facing web apps

Rate limiting is a critical strategy for controlling the number of requests a client can make to a system within a specified time frame, essential for both API and consumer-facing applications to prevent system overload and potential abuse. In API contexts, rate limits prevent clients from overwhelming the server, while in client-facing applications, they help mitigate abusive behaviors such as brute force attacks, credential stuffing, and spam activities. Implementing rate limits involves methods like throttling, which caps the number of requests a client can make, and fail-to-ban, which blocks clients for extended periods after reaching a threshold. Testing and fine-tuning these limits can be done through historical analysis or dry runs to ensure they are effective without adversely affecting legitimate users. At Felt, rate limiting is managed using the Elixir-based PlugAttack library, with specific policies for security-sensitive routes to enhance system security and reliability.