Rate Limiter Settings

Prev Next

The Rate Limiter settings control the rate of requests sent or received by your Rocket.Chat workspace. This setting can be used to prevent cyber attacks like DoS (Denial of Service) attacks and limit web scraping. To access it, go to Administration > Workspace > Settings > Rate Limiter.

Configure API rate limiter

Customize rate-limiting for REST APIs according to your needs.

Field

Description

Enable Rate Limiter

Enable API rate limiter.

Enable Rate Limiter in development

Enable rate limiter for development to limit the number of calls to the endpoints in the development environment.

Default number calls to the rate limiter

Set the number of default calls for each endpoint of the REST API that are allowed within the time range defined below.

For example, 10.

Default time limit for the rate limiter (in ms)

Enter the time (in milliseconds) to limit the number of calls at each endpoint.

For example, 60000. This means that 10 calls are allowed in 60,000 ms.

Configure DDP rate limiter

Customize rate-limiting for methods and subscriptions (uses DDP from Meteor) to prevent a high load of WebSocket messages on your workspace. Websocket is a communication protocol that allows for simultaneous data transmission in one channel.

Field

Description

Limit by IP: enabled

Enable rate limiting by IP. If you enable this option, you can update the following settings:

  • Limit by IP: requests allowed: Set the number of requests allowed. For example, 1200.

  • Limit by IP: interval time: Enter the time interval to limit an IP (in milliseconds). For example, 60000.

This means that 1,200 requests from a single IP address are allowed within 60,000 ms.

Limit by User

Enable DDP rate-limiting by users. If you enable this option, you can update the following settings:

  • Limit by User: requests allowed: Enter the number of requests allowed. For example, 1200.

  • Limit by User: interval time: Enter the time interval to limit a user (in milliseconds). For example, 60000.

This means that 1,200 requests from one user are allowed within 60,000 ms.

Limit by Connection

Enable limiting connection requests. The connected user is limited by the defined rate when using Meteor methods over the WebSocket (the DDP connection). If you enable this option, you can update the following settings:

  • Limit by Connection: requests allowed: Enter the number of connection requests allowed. For example, 600.

  • Limit by Connection: interval time: Enter the time interval to limit connections (in milliseconds). For example, 60000.

This means that the user can call Meteor methods by DDP 600 times every 60,000 ms.

Limit by User per Method

Enable limiting a user's request rate per method. If you enable this option, you can update the following settings:

  • Limit by User per Method: requests allowed: Enter the number of requests allowed. For example, 20.

  • Limit by User per Method: interval time: Enter the time interval to limit a user per method (in milliseconds). For example, 10000.

This means that 20 requests from one user for one method are allowed within 10,000 ms.

Limit by Connection per Method

Enable connection limit per method. If you enable this option, you can update the following settings:

  • Limit by Connection per Method: requests allowed: Enter the number of requests allowed. For example, 10.

  • Limit by Connection per Method: interval time: Enter the time interval to limit connections per method (in milliseconds). For example, 10000.

This means that each method can be connected 10 times within 10,000 ms.

Set feature limiting

Setting this up provides your server with full protection from email and username enumeration by brute-force attacks.

  • Default number calls to the rate limiter for registering a user: Enter the number of default calls for user registering endpoints (REST and real-time APIs) that are allowed within the time range defined in the API Rate Limiter section.

For further details, refer to the Rate limiting section in Rocket.Chat API.