Fix Lack of Resources & Rate Limiting in Laravel

Lack of rate limiting (OWASP API4:2023) is a critical oversight that facilitates DoS attacks and brute-force credential stuffing. In Laravel, exposing endpoints like login, password resets, or heavy search queries without throttling allows an adversary to exhaust server resources—CPU, memory, and database connections—rendering the application unavailable.

The Vulnerable Pattern

// routes/api.php
// This route is wide open to resource exhaustion and automated abuse.
Route::post('/v1/heavy-search', [SearchController::class, 'execute']);
// app/Http/Controllers/SearchController.php
public function execute(Request $request) {
// Complex DB join without any request constraints
return Product::where(‘name’, ‘like’, ’%’ . $request->input(‘q’) . ’%’)->get();
}

The Secure Implementation

The secure implementation utilizes Laravel's built-in RateLimiter facade to define a 'search_api' throttle. It applies a 'Fixed Window' limit of 5 requests per minute per IP address for standard users, while allowing premium users unlimited access. By attaching the 'throttle:search_api' middleware to the route, the framework automatically returns a 429 Too Many Requests status code once the limit is breached, preventing the expensive controller logic from executing and protecting the underlying database from resource exhaustion.

// app/Providers/AppServiceProvider.php
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;
public function boot(): void {
RateLimiter::for(‘search_api’, function (Request $request) {
return $request->user()?->is_premium
? Limit::none()
: Limit::perMinute(5)->by($request->ip());
});
}
// routes/api.php
Route::middleware(‘throttle:search_api’)->post(‘/v1/heavy-search’, [SearchController::class, ‘execute’]);