ASP.NET - Request Throttling Middleware

Request throttling limits how many requests a client can send to the server within a specific time window. Its main goal is to protect the application from overload, abuse or accidental traffic spikes by slowing down excessive requests instead of letting them exhaust server resources.

Why Throttling Is Needed
Without throttling, a single user or script can send too many requests and affect other users. Throttling helps maintain fairness, keeps response times stable and prevents denial-of-service–like situations. It is especially important for public APIs and login or search endpoints.

How Throttling Works Internally
The middleware tracks requests based on an identifier such as IP address, API key or user ID. It counts how many requests occur within a defined time period. If the limit is exceeded, the middleware blocks further requests and returns an error response instead of allowing the request to reach the endpoint.

Fixed Window and Sliding Window Logic
In a fixed window approach, requests are counted in a strict time block, such as 100 requests per minute. In a sliding window approach, limits are calculated continuously based on recent activity, giving smoother control. ASP.NET Core supports these strategies through built-in rate limiting features.

Middleware Placement Matters
Throttling middleware should be placed early in the pipeline so blocked requests do not waste processing time. By stopping requests before they reach business logic or databases, server load stays low and predictable.

Why Throttling Improves Stability
Request throttling protects system performance and availability. It ensures that normal users are not affected by heavy traffic sources and helps services remain responsive under load.

Example (ASP.NET Core Built-in Rate Limiting)

using System.Threading.RateLimiting;

var builder = WebApplication.CreateBuilder(args);

// Add rate limiting
builder.Services.AddRateLimiter(options =>
{
    options.AddFixedWindowLimiter("fixed", opt =>
    {
        opt.Window = TimeSpan.FromSeconds(10);
        opt.PermitLimit = 5;
        opt.QueueLimit = 0;
    });
});

var app = builder.Build();

// Enable rate limiting middleware
app.UseRateLimiter();

app.MapGet("/api/data", () => "Request successful")
   .RequireRateLimiting("fixed");

app.Run();

Behavior

  • Maximum 5 requests every 10 seconds per client

  • Extra requests receive HTTP 429 (Too Many Requests)

  • Server remains protected from excessive traffic