Rate Limiting
By Fingerprint
Per-fingerprint rate limiting applies limits based on a unique device/browser fingerprint. It provides more granular and robust identification than traditional methods like IP address or User-Agent.
Description
Theper_fingerprint limiter enforces request quotas using a device/browser fingerprint derived from multiple attributes. It is especially useful for anonymous traffic where no stable user ID is available.
Key Features
- Unique identification: Combines UserID, token, IP, and User-Agent into a single identifier
- Evasion resistance: Harder to bypass than IP-only limits
- Granularity: Enables device/browser-specific limits
- Integration: Works with the existing fingerprinting middleware
Configuration
Evaluation Order
Limits are checked in the following order (from most specific to most general):- per_fingerprint: Unique fingerprint limit
- per_ip: Client IP address limit
- per_user: Authenticated user limit
- global: Global limit
Requirements
- Fingerprinting middleware is enabled
- The fingerprint is generated automatically per request
- Compatible with all existing rate limiting types
Use Cases
Abuse protection
Graduated limits
Anonymous users
For unauthenticated users,per_fingerprint offers a more robust alternative to per_user:
Considerations
- Dependency: Requires the fingerprinting middleware to be configured
- Performance: Fingerprints are base64 strings; impact is minimal
- Fallback: If no fingerprint is available, “unknown” is used as the key
- Compatibility: Works alongside all other rate limiting types