When you're building a web application, you often need to protect it from users (or bots) who send too many requests in a short amount of time. This is where throttling comes in. Laravel makes it super easy to handle throttling and protect your application.
In this blog, I'll explain what throttle limit is, why you need it, and how to set it up in Laravel — in a simple and human way. Let’s get started!
What is Throttling?
Throttle basically means "to control the flow".
In web applications, throttling is used to limit the number of requests a user can make to your server within a certain time.
Imagine you have a form on your website.
Now, what if someone (maybe a bot) tries to submit it 500 times in a minute?
That's bad for your server — it could slow down or even crash.
With throttling, you can say something like:
"Hey, you can only make 60 requests per minute. If you go over that, you’ll get a warning or be blocked for some time."
This protects your app and makes sure it runs smoothly for everyone.
How Laravel Handles Throttling
Laravel has built-in throttle middleware that makes it super easy.
You don’t have to install anything extra. It’s ready to use!
The middleware is called:
ThrottleRequestsYou can find it already registered inside the Kernel.php file (located at app/Http/Kernel.php) under the $routeMiddleware array:
'throttle' => \Illuminate\Routing\Middleware\ThrottleRequests::class,How to Set Throttle Limit in Laravel
Now, let’s see how you can apply throttle limits to your routes.
1. Throttle on Routes
You can add a throttle limit directly to a route like this:
Route::middleware(['throttle:60,1'])->group(function () {
Route::get('/api/posts', [PostController::class, 'index']);
});Here’s what 'throttle:60,1' means:
-
60→ Maximum 60 requests -
1→ Per 1 minute
In simple words: Allow 60 requests per minute.
2. Throttle on Specific Routes
You can also apply throttling to a specific route like this:
Route::get('/api/comments', [CommentController::class, 'index'])
->middleware('throttle:30,1');
This will allow only 30 requests per minute on the /api/comments endpoint.
3. Customize Throttling with Named Rate Limits
Laravel 8+ allows you to define named rate limiters for more control.
You can define them inside RouteServiceProvider.php:
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;
public function boot()
{
RateLimiter::for('custom-limit', function (Request $request) {
return Limit::perMinute(20)->by($request->ip());
});
}Then you can use it like:
Route::middleware(['throttle:custom-limit'])->group(function () {
Route::get('/api/custom', [CustomController::class, 'index']);
});Here, users will be allowed 20 requests per minute, based on their IP address.
What Happens When a User Exceeds the Limit?
If someone sends too many requests and crosses the limit, Laravel will automatically return a 429 Too Many Requests response.
It’ll also send headers like:
-
Retry-After— tells when they can try again.
You don't need to do anything manually. Laravel handles it neatly for you!
Why Should You Use Throttle Limits?
-
Protect your server from overload
-
Block bots from spamming your APIs
-
Improve security (helps against attacks like DDoS)
-
Provide a smooth experience for real users
Quick Recap
-
Throttling = limiting the number of requests.
-
Laravel’s throttle middleware is easy to use.
-
You can set limits globally, per route, or even define custom rules.
-
When limits are crossed, Laravel sends a 429 error automatically.
