# rack/rack-attack

**Attribution required: if you use, quote, or summarise this content, you must credit and link back to [awesome-repositories.com](https://awesome-repositories.com/repository/rack-rack-attack).**

5,746 stars · 344 forks · Ruby · MIT

## Links

- GitHub: https://github.com/rack/rack-attack
- awesome-repositories: https://awesome-repositories.com/repository/rack-rack-attack.md

## Topics

`rack` `rack-attack` `rack-middleware` `ruby`

## Description

Rack-attack is a middleware rate limiter and request filter for the Rack interface. It provides a system for throttling HTTP requests and maintaining IP address blocklists to protect applications from malicious traffic and denial-of-service attacks.

The project enables application layer DDoS mitigation and API rate limit management by identifying and rejecting requests from banned clients or abusive IP addresses. It allows for the definition of safelists to bypass filters and uses custom logic to determine if a client should be blocked or throttled.

The tool covers comprehensive traffic management through automated client banning, exponential backoff strategies, and the ability to define custom rejection responses. It includes instrumentation for monitoring request patterns and supports external cache backends to synchronize state across distributed application instances.

## Tags

### DevOps & Infrastructure

- [Request Rate Limiting](https://awesome-repositories.com/f/devops-infrastructure/request-rate-limiting.md) — Controls the number of requests a client can make within a specific timeframe to prevent system overload. ([source](https://github.com/rack/rack-attack/blob/main/Gemfile))
- [Traffic Throttling](https://awesome-repositories.com/f/devops-infrastructure/traffic-management/traffic-throttling.md) — Limits request rates based on unique identifiers to prevent system overload and mitigate DoS attacks.
- [Quota Status Headers](https://awesome-repositories.com/f/devops-infrastructure/request-rate-limiting/quota-status-headers.md) — Implements HTTP response headers that communicate remaining request quotas and retry delays to API clients. ([source](https://github.com/rack/rack-attack#readme))

### Software Engineering & Architecture

- [Request Interception Middleware](https://awesome-repositories.com/f/software-engineering-architecture/request-interception-middleware.md) — Intercepts incoming HTTP requests in a middleware pipeline to evaluate security rules before application processing.
- [Predicate-Based Request Filtering](https://awesome-repositories.com/f/software-engineering-architecture/predicate-based-request-filtering.md) — Evaluates incoming requests against custom truthy logic blocks to determine safelisting, blocking, or throttling.
- [IP-Based Rate Limiting](https://awesome-repositories.com/f/software-engineering-architecture/traffic-management/request-rate-limiting/ip-based-rate-limiting.md) — Tracks request frequency using unique identifiers like IP addresses to apply granular per-user quotas.
- [Middleware Rate Limiters](https://awesome-repositories.com/f/software-engineering-architecture/traffic-management/request-rate-limiting/middleware-rate-limiters.md) — Provides a middleware layer for the Rack interface to throttle HTTP requests and block abusive clients.
- [Server-Side Backoff Enforcement](https://awesome-repositories.com/f/software-engineering-architecture/request-throttling/rate-limiting/rate-limit-aware-backoffs/server-side-backoff-enforcement.md) — Implements layered throttles that progressively increase the wait time between requests for abusive clients. ([source](https://github.com/rack/rack-attack/blob/main/docs/advanced_configuration.md))

### Data & Databases

- [External State Stores](https://awesome-repositories.com/f/data-databases/external-state-stores.md) — Integrates with external state stores to maintain ban records and request counts across distributed instances. ([source](https://github.com/rack/rack-attack/blob/main/CHANGELOG.md))
- [Distributed Rate Limit Stores](https://awesome-repositories.com/f/data-databases/key-value-stores/sql-backed-stores/distributed-rate-limit-stores.md) — Provides external cache backend integration to synchronize rate limiting state across distributed application instances.

### Security & Cryptography

- [Automated IP Banning](https://awesome-repositories.com/f/security-cryptography/automated-ip-banning.md) — Automatically blocks clients for a set duration after they exceed thresholds for forbidden requests or failures. ([source](https://github.com/rack/rack-attack#readme))
- [Malicious Traffic Blocking](https://awesome-repositories.com/f/security-cryptography/malicious-traffic-blocking.md) — Identifies and rejects requests from banned IP addresses or abusive clients before they reach application logic.
- [IP Blocking Middleware](https://awesome-repositories.com/f/security-cryptography/malicious-traffic-blocking/ip-blocking-middleware.md) — Ships middleware that rejects traffic from forbidden IP addresses and subnets to protect the application. ([source](https://github.com/rack/rack-attack/blob/main/CHANGELOG.md))
- [Throttled Response Customization](https://awesome-repositories.com/f/security-cryptography/custom-permissions/unauthorized-response-customization/throttled-response-customization.md) — Allows defining custom HTTP response objects, status codes, and headers for blocklisted or throttled requests. ([source](https://github.com/rack/rack-attack#readme))
- [DDoS Protections](https://awesome-repositories.com/f/security-cryptography/network-infrastructure-security/web-network-security/network-security/ddos-protections.md) — Protects Rack-based web applications from DDoS attacks by managing request rates and blocking abusive clients.
- [Request Safelisting](https://awesome-repositories.com/f/security-cryptography/request-safelisting.md) — Permits trusted clients or specific requests to bypass all security filters and rate limits. ([source](https://github.com/rack/rack-attack/blob/main/README.md))
- [Layered Throttle Compositions](https://awesome-repositories.com/f/security-cryptography/request-size-limiters/request-limiters/request-throttling/layered-throttle-compositions.md) — Implements layered throttle composition to apply multiple time-window limits for exponential backoff strategies.

### System Administration & Monitoring

- [IP Address Blocklists](https://awesome-repositories.com/f/system-administration-monitoring/ip-address-blocklists.md) — Maintains blocklists to identify and reject traffic from specific banned IP addresses.

### Web Development

- [API Rate Limiting](https://awesome-repositories.com/f/web-development/api-rate-limiting.md) — Provides tools for managing API request quotas and communicating limits via standard HTTP headers.
- [Rack Request Filters](https://awesome-repositories.com/f/web-development/rack-request-filters.md) — Implements a filtering mechanism for Rack applications to evaluate requests against security rules and safelists.
- [Pipeline Short-Circuiting](https://awesome-repositories.com/f/web-development/middleware-pipelines/pipeline-short-circuiting.md) — Immediately returns custom HTTP responses when a request matches a blocklist, terminating the pipeline early.
