Django Ratelimit Documentation, Release 4.1.0
Even though the third request came nearly two minutes after the first request, the second request moved the window.
Good actors could easily get caught in this, even trying to implement reasonable back-offs.
Starting in 0.5, windows are fixed, and staggered throughout a given period based on the key value, so the third request,
above would not be rate limited (it’s possible neither would the second one).
Warning: That means that given a rate of X/u, you may see up to 2
*
X requests in a short period of time.
Make sure to set X accordingly if this is an issue.
This change still limits bad actors while being far kinder to good actors.
Staggering windows
To avoid a situation where all limits expire at the top of the hour, windows are automatically staggered throughout
their period based on the key value. So if, for example, two IP addresses are hitting hourly limits, instead of both of
those limits expiring at 06:00:00, one might expire at 06:13:41 (and subsequently at 07:13:41, etc) and the other might
expire at 06:48:13 (and 07:48:13, etc).
Sharing rate limits
Before 0.5, rate limits were shared between methods based only on their keys. This was very confusing and unintuitive,
and is far from the least-surprising thing. For example, given these three views:
@ratelimit(ip=True, field='username')
def both(request):
pass
@ratelimit(ip=False, field='username')
def field_only(request):
pass
@ratelimit(ip=True)
def ip_only(request):
pass
The pair both and field_only shares one rate limit key based on all requests to either (and any other views)
containing the same username key (in GET or POST), regardless of IP address.
The pair both and ip_only shares one rate limit key based on the client IP address, along with all other views.
Thus, it’s extremely difficult to determine exactly why a request is getting rate limited.
In 0.5, methods never share rate limits by default. Instead, limits are based on a combination of the group, rate, key
value, and HTTP methods to which the decorator applies (i.e. not the method of the request). This better supports
common use cases and stacking decorators, and still allows decorators to be shared.
For example, this implements an hourly rate limit with a per-minute burst rate limit:
@ratelimit(key='ip', rate='100/m')
@ratelimit(key='ip', rate='1000/h')
def myview(request):
pass
However, this view is limited separately from another view with the same keys and rates:
20 Chapter 3. Contents