Back to Linter
Infosecurity

Rate Limiting Disabled

How Nginx rate limiting protects against brute-force and DDoS attacks.

What This Rule Checks

This rule checks whether rate limiting is configured for your server.

Why It Matters

Without rate limiting, a single client can flood your server with requests. This enables brute-force attacks on login pages, API abuse, and denial-of-service attacks. Nginx's built-in `limit_req` module is lightweight and effective.

Bad — Triggers this rule

server {
    listen 80;
    server_name api.example.com;
    # No rate limiting — unlimited requests allowed
}

Good — Passes this rule

limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;

server {
    listen 80;
    server_name api.example.com;

    location / {
        limit_req zone=api burst=20 nodelay;
        proxy_pass http://localhost:3000;
    }
}

How to Fix

Enable rate limiting in Configen's Security section. Set a reasonable rate (e.g., 10 requests/second) with a burst allowance.

Related Rules

security-headers-missingsecurity-server-tokens

Check your config now

Paste your nginx.conf and get instant feedback on 20+ rules.

Open Linter →