Fix API Rate Limit Exhaustion in Chi

API rate limit exhaustion is a critical vulnerability that allows attackers to trigger resource starvation or service-wide DoS. In the Chi ecosystem, failing to implement middleware-based throttling leaves your expensive operations (DB queries, bcrypt hashing, upstream calls) exposed to automated brute-force and flooding. We mitigate this by implementing a sliding window counter at the router level.

The Vulnerable Pattern

func main() {
	r := chi.NewRouter()
	// VULNERABLE: No rate limiting middleware. An attacker can hammer this endpoint indefinitely.
	r.Get("/api/resource", func(w http.ResponseWriter, r *http.Request) {
		w.Write([]byte("Sensitive Data"))
	})
	http.ListenAndServe(":8080", r)
}

The Secure Implementation

The vulnerable code lacks any request volume control, making it trivial to exhaust the server's thread pool or database connections. The secure implementation integrates 'httprate' middleware, which uses a sliding window algorithm to track request counts. By using 'httprate.KeyByIP', we identify unique clients and enforce a hard quota (100 req/min). When the threshold is breached, the middleware short-circuits the request chain and returns a 429 Too Many Requests response, preventing the expensive business logic from ever executing.

import (
	"github.com/go-chi/chi/v5"
	"github.com/go-chi/httprate"
	"time"
)
func main() {
r := chi.NewRouter()
// SECURE: Implementing httprate middleware to enforce 100 requests per minute per IP.
r.Use(httprate.Limit(
100,
1*time.Minute,
httprate.WithKeyFuncs(httprate.KeyByIP),
httprate.WithLimitHandler(func(w http.ResponseWriter, r *http.Request) {
http.Error(w, “Rate limit exceeded. Slow down, hacker.”, http.StatusTooManyRequests)
}),
))
r.Get(“/api/resource”, func(w http.ResponseWriter, r *http.Request) {
w.Write([]byte(“Protected Data”))
})
http.ListenAndServe(“:8080”, r)
}