logo
Adding Rate Limiting in Caddy

Adding Rate Limiting in Caddy

Dec 23, 2025

Adding Rate Limiting in Caddy

Rate limiting helps protect your application from abuse, brute-force attacks, and accidental traffic spikes by restricting how many requests a client can make within a given time window.

Caddy provides rate limiting using the built-in rate_limit handler.

Basic Rate Limiting for a Domain

Example: Allow 100 requests per minute per client IP.

example.com {
    rate_limit {
        zone api {
            key {remote_host}
            events 100
            window 1m
        }
    }

    reverse_proxy localhost:3000
}

  • remote_host → identifies the client by IP address

  • events → number of allowed requests

  • window → time period

Requests exceeding the limit are automatically rejected.

Rate Limit Only Specific Routes

Example: Rate limit /login endpoint to prevent brute-force attacks.

example.com {

    handle_path /login* {
        rate_limit {
            zone login {
                key {remote_host}
                events 10
                window 1m
            }
        }
        reverse_proxy localhost:3000
    }

    handle {
        reverse_proxy localhost:3000
    }
}

This keeps the rest of your application unrestricted.

Best Security Practices in Caddy

23 Dec 2025

Best Security Practices in Caddy

Read more aboutBest Security Practices in Caddy
IP Allow / Deny Rules in Caddy

23 Dec 2025

IP Allow / Deny Rules in Caddy

Read more aboutIP Allow / Deny Rules in Caddy
Adding Basic Authentication in Caddy

23 Dec 2025

Adding Basic Authentication in Caddy

Read more aboutAdding Basic Authentication in Caddy
Explore More Blogs