What Is Rate Limiting in Adobe Commerce (Magento)?
Adobe Commerce (formerly Magento) supports rate limiting, which restricts the number of API requests that a user or IP address can make within a specific timeframe. As of Adobe Commerce 2.4.7, rate limiting can be implemented out-of-the-box to protect payment information transmitted using REST and GraphQL.
Enabling rate limiting helps to protect against denial-of-service (DoS) attacks and carding attacks (in which attackers use brute force techniques to test thousands of credit card numbers to determine which are valid). More generally, it ensures fair usage of resources — but in certain cases, restrictive rate limiting can cause more problems than it solves.
Below, we’ll discuss a few key points of rate limiting in Adobe Commerce and provide tips for troubleshooting common issues. If you need assistance with rate limiting, Blue Stingray’s Magento experts are ready to help. Send us a message to discuss your implementation.
Setting Up Rate Limiting in Adobe Commerce: A Basic Overview
To use rate limiting, most organizations will need a Redis (Remote Dictionary Server), which will store the request logs.
Redis is commonly used for two reasons: It’s open source, and it’s fast enough for the task. With that said, merchants who have instances hosted on Amazon EC2 use an AWS ElastiCache instead. Adobe Developer provides an extensive Configure Redis topic to explain the basics of Redis installation and service connection configuration.
By default, rate limiting is disabled. in/magento config:set commands are used to enable rate limits. All of these commands are also accessible for Admins through Stores > Configuration > Sales > Sales > Rate Limiting.
| Parameter | Description |
| sales/backpressure/enabled | Enables rate limiting for placing orders. |
| sales/backpressure/disabled | Disables the rate limiting feature. |
| sales/backpressure/guest_limit | Sets requests limit per guest. |
| sales/backpressure/limit | Sets requests limit per authenticated customer. |
| sales/backpressure/period | Sets the number of seconds to wait until resetting the counter. |
That’s all fairly straightforward; set a guest limit of “1″ for guests and a period of “1,” and guests can only make one request per second before receiving a 403 error.
Of course, that’s a very strict limit that could potentially impact authentic users — which is exactly what you want to avoid if you decide to turn on rate limiting.
Troubleshooting Issues with Adobe Commerce Rate Limiting
Whenever you’re setting rules to allocate server resources, it’s important to remember that those rules might affect the experiences of real-life users (and administrators, for that matter).
Set the rate limits too low, and users might not be able to access their accounts during peak traffic periods, even with moderate usage. Set the rate limits too high, and you might as well turn the feature off; it’s not doing anything to improve security.
Other consequences of poor rate limiting implementation might include:
- Broken Extensions: Magento/Adobe Commerce extensions might be impacted, particularly if they’re intended to perform bulk actions (such as product updates) via a single API request.
- Poor Performance: Slow local Redis servers can impact your store’s overall performance.
- Uneven Security: Rate limiting won’t necessarily improve your site’s security. Applying the same limits to all endpoints may leave some areas more vulnerable than others.
- Lost Time: Troubleshooting the rate limiting configuration may be time-consuming for your team.
- Missed Opportunities: Low limits could unintentionally throttle legitimate API usage from integrations or partners. If you fail to return a proper HTTP response (429: Too Many Requests), customers might think that your store’s broken — and even with a proper response, they might get frustrated.
To prevent these types of issues, you may need to differentiate the limits based on user roles, and you’ll certainly need to review and adjust your configuration on a regular basis.
Depending on the nature of your content, you might need advanced rate limiting rules. You might also need to integrate rate limits with other security tools or develop custom modules for unique requirements. A qualified Adobe Commerce partner can be an extraordinary resource here.
A St. Louis-Based Adobe Commerce Partner
As a Magento/Adobe Commerce partner, Blue Stingray can provide a robust and effective rate limiting solution that enhances security and optimizes performance — without reducing access for real users.
Find out more about Blue Stingray’s e-commerce services or sign up for a demo on our Magento/Adobe Commerce page.
