GuardAPI Logo
GuardAPI

Fix Lack of Resources & Rate Limiting in CodeIgniter

Unrestricted endpoints are an open invitation for DoS attacks and credential stuffing. In CodeIgniter 4, failing to implement rate limiting means your application is vulnerable to resource exhaustion. We mitigate this by leveraging the built-in Throttler service to enforce strict request quotas on sensitive routes.

The Vulnerable Pattern

public function processLogin()
{
    $username = $this->request->getPost('username');
    $password = $this->request->getPost('password');

// VULNERABLE: No rate limiting or throttling.
// An attacker can automate thousands of requests per second to brute-force credentials
// or overwhelm the database connection pool.
if ($this->authModel->verify($username, $password)) {
    return redirect()->to('/admin');
}

return redirect()->back()->with('error', 'Invalid login');


}

The Secure Implementation

The fix implements the Token Bucket algorithm via CodeIgniter's Throttler service. By checking the bucket before executing expensive logic (like password hashing and DB lookups), we drop malicious traffic at the controller level. The 429 Too Many Requests status code signals to the client (and any upstream WAF) that the rate limit has been reached, effectively neutralizing automated brute-force tools and preventing CPU/RAM exhaustion.

public function processLogin()
{
    $throttler = \Config\Services::throttler();

// SECURE: Limit to 5 attempts per minute per IP address.
// We use a MD5 hash of the IP as the bucket key.
if ($throttler->check(md5($this->request->getIPAddress()), 5, MINUTE) === false) {
    return $this->response->setStatusCode(429)->setBody('Too Many Requests. Slow down.');
}

$username = $this->request->getPost('username');
$password = $this->request->getPost('password');

if ($this->authModel->verify($username, $password)) {
    return redirect()->to('/admin');
}

return redirect()->back()->with('error', 'Invalid login');


}

System Alert • ID: 4870
Target: CodeIgniter API
Potential Vulnerability

Your CodeIgniter API might be exposed to Lack of Resources & Rate Limiting

74% of CodeIgniter apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X