Request Limits
Learning Focus
By the end of this lesson you will know how to configure request rate limits to prevent application-layer DDoS attacks.
What Request Limits Do
Request limits cap how many HTTP requests a single client IP can make in a time period. This protects against:
- Brute force login attempts
- Automated scraping
- Application-layer DoS attacks
- Excessive crawling
Key Settings
| Setting | Purpose | Example |
|---|---|---|
| Static Requests/Second | Rate for static file requests | 40 |
| Dynamic Requests/Second | Rate for PHP/dynamic requests | 5-10 |
Configuring in WebAdmin
- Server Configuration → Security → Per Client Throttling
- Set Static Requests/Second and Dynamic Requests/Second
- Save and Graceful Restart
Tuning Tips
| Site Type | Static Limit | Dynamic Limit |
|---|---|---|
| Standard site | 40 | 5 |
| API server | 10 | 20 |
| High-traffic CMS | 60 | 10 |
warning
Setting dynamic request limits too low can block legitimate users performing rapid actions (search, pagination, AJAX calls). Monitor before restricting.
Key Takeaways
- Request limits are your first line of defense against application-layer attacks.
- Set dynamic limits lower than static — dynamic requests are more expensive.
- Monitor and tune based on actual traffic patterns.
What's Next
- Continue to Connection Limits for concurrent connection controls.