Skip to content
unfault

python.fastapi.rate_limiting

Stability High

Detects FastAPI endpoints without rate limiting.

Why It Matters

Section titled “Why It Matters”

Missing rate limiting:

  • DoS attacks — Attackers overwhelm service
  • Resource exhaustion — One client hogs resources
  • Cost explosion — Unbounded API usage

Example

Section titled “Example”
# ❌ Before (no rate limiting)
@app.post("/api/login")
async def login(creds: Credentials):
    return await authenticate(creds)
# ✅ After (with rate limiting)
from slowapi import Limiter
from slowapi.util import get_remote_address


limiter = Limiter(key_func=get_remote_address)
app.state.limiter = limiter


@app.post("/api/login")
@limiter.limit("5/minute")
async def login(request: Request, creds: Credentials):
    return await authenticate(creds)

What Unfault Detects

Section titled “What Unfault Detects”
  • Login endpoints without rate limits
  • Public APIs without throttling
  • Missing slowapi or similar middleware
Section titled “Related Rules”