GuardAPI Logo
GuardAPI

Fix API Rate Limit Exhaustion in Hanami

API Rate Limit Exhaustion in Hanami allows adversaries to perform resource exhaustion, credential stuffing, or scraping at scale. Since Hanami is built on Rack, failing to implement middleware-level throttling leaves the application logic exposed to volumetric abuse. Real-world exploitation often targets high-cost endpoints like auth or search to spike DB CPU and crash the service.

The Vulnerable Pattern

# config/app.rb
# Missing middleware for request control
module MyApp
  class App < Hanami::App
    # No rate limiting configured here
  end
end

app/actions/users/login.rb


module Actions
module Users
class Login < Action
def handle(request, response)
# Logic processes every request without checking frequency
# Attacker can hit this 10,000 times per second
user = UserRepository.new.find_by_email(request.params[:email])
# … authentication logic …
end
end
end
end

The Secure Implementation

To secure Hanami, we inject the `Rack::Attack` middleware into the application stack. This intercepts requests before they reach the router or action layer. We define a throttle rule targeting the `/users/login` endpoint, limiting unique IPs to 5 requests per minute. By returning a 429 Too Many Requests status code, we preserve application resources and force the client to back off, effectively mitigating automated brute-force and DoS attempts.

# 1. Add 'rack-attack' gem to Gemfile
# 2. config/app.rb
module MyApp
  class App < Hanami::App
    config.middleware.use Rack::Attack
  end
end

3. config/initializers/rack_attack.rb


Rack::Attack.cache.store = ActiveSupport::Cache::MemoryStore.new # Use Redis in production


Rack::Attack.throttle(‘limit_login_attempts_by_ip’, limit: 5, period: 60.seconds) do |req|
if req.path == ‘/users/login’ && req.post?
req.ip
end
end


Rack::Attack.throttled_response = lambda do |env|
[429, { ‘Content-Type’ => ‘application/json’ }, [{ error: ‘Rate limit exceeded. Retry later.’ }.to_json]]
end

System Alert • ID: 5579
Target: Hanami API
Potential Vulnerability

Your Hanami API might be exposed to API Rate Limit Exhaustion

74% of Hanami apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X