Skip to content

go.rate_limiting

Scalability Medium

Detects HTTP endpoints without rate limiting, which can be abused or overwhelmed.

Why It Matters

Without rate limiting:

DoS vulnerability - Anyone can overwhelm your service
Resource exhaustion - Uncontrolled traffic consumes all capacity
Unfair access - One client can starve others
Cost explosion - Cloud costs spike with traffic bursts

Example

// ❌ Before (no rate limiting)
func handler(w http.ResponseWriter, r *http.Request) {
    // Any client can call this unlimited times
    processRequest(w, r)
}

// ✅ After (with rate limiting)
import "golang.org/x/time/rate"

var limiter = rate.NewLimiter(100, 10) // 100 req/sec, burst 10

func handler(w http.ResponseWriter, r *http.Request) {
    if !limiter.Allow() {
        http.Error(w, "Rate limit exceeded", http.StatusTooManyRequests)
        return
    }
    processRequest(w, r)
}

What Unfault Detects

HTTP handlers without rate limit middleware
Missing per-client rate limiting
Expensive operations without throttling

Auto-Fix

Unfault generates rate limiting middleware:

import "golang.org/x/time/rate"

// Per-client rate limiting
type ClientLimiter struct {
    limiters map[string]*rate.Limiter
    mu       sync.RWMutex
    rate     rate.Limit
    burst    int
}

func (cl *ClientLimiter) GetLimiter(clientID string) *rate.Limiter {
    cl.mu.RLock()
    limiter, exists := cl.limiters[clientID]
    cl.mu.RUnlock()

    if exists {
        return limiter
    }

    cl.mu.Lock()
    limiter = rate.NewLimiter(cl.rate, cl.burst)
    cl.limiters[clientID] = limiter
    cl.mu.Unlock()

    return limiter
}