Rate Limit Middleware for PHP
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.


Rate Limit Middleware for PHP

Build Status Latest Stable Version Total Downloads Coverage Status

LosRateLimit is a php middleware to implement a rate limit.

First, the middleware will look for an X-Api-Key header to use as key. If not found, it will fallback to the remote IP.

Each one, has it's own limits (see configuration bellow).

Attention! This middleware does not validate the Api Key, you must add a middleware before this one to validate it.


  • PHP >= 7.1
  • Psr\HttpMessage

This middleware uses one of the pre-implemented storages:

  • Apc (default)
  • Array
  • Aura Session
  • File
  • Zend Session

But you can implement your own, like a DB storage. Just implement the StorageInterface.


php composer.phar require los/los-rate-limit


'los_rate_limit' => [
    'max_requests' => 100,
    'reset_time' => 3600,
    'ip_max_requests' => 100,
    'ip_reset_time' => 3600,
    'api_header' => 'X-Api-Key',
    'trust_forwarded' => false,
    'prefer_forwarded' => false,
    'forwarded_headers_allowed' => [
    'forwarded_ip_index' => null,
    'headers' => [
        'limit' => 'X-RateLimit-Limit',
        'remaining' => 'X-RateLimit-Remaining',
        'reset' => 'X-RateLimit-Reset',
    'keys' => [
        'b9155515728fa0f69d9770f7877cb50a' => [
            'max_requests' => 100,
            'reset_time' => 3600,
    'ips' => [
        '' => [
            'max_requests' => 100,
            'reset_time' => 3600,
  • max_requests How many requests are allowed before the reset time (using API Key)
  • reset_time After how many seconds the counter will be reset (using API Key)
  • ip_max_requests How many requests are allowed before the reset time (using remote IP Key)
  • ip_reset_time After how many seconds the counter will be reset (using remote IP Key)
  • api_header Header name to get the api key from.
  • trust_forwarded If the X-Forwarded (and similar) headers and be trusted. If not, only $_SERVER['REMOTE_ADDR'] will be used.
  • prefer_forwarded Whether forwarded headers should be used in preference to the remote address, e.g. if all requests are forwarded through a routing component or reverse proxy which adds these headers predictably. This is a bad idea unless your app can only be reached this way.
  • forwarded_headers_allowed An array of strings which are headers you trust to contain source IP addresses.
  • forwarded_ip_index If null (default), the first plausible IP in an XFF header (reading left to right) is used. If numeric, only a specific index of IP is used. Use -2 to get the penultimate IP from the list, which could make sense if the header always ends ...<client_ip>, <router_ip>. Or use 0 to use only the first IP (stopping if it's not valid). Like prefer_forwarded, this only makes sense if your app's always reached through a predictable hop that controls the header - remember these are easily spoofed on the initial request.
  • keys Specify different max_requests/reset_time per api key
  • ips Specify different max_requests/reset_time per IP

The values above indicate that the user can trigger 100 requests per hour.

If you want to disable ip access (e.g. allowing just access via X-Api-Key), just set ip_max_requests to 0 (zero).


Just add the middleware as one of the first in your application.

Zend Expressive

If you are using expressive-skeleton, you can copy config/los-rate-limit.local.php.dist to config/autoload/los-rate-limit.local.php and modify configuration as your needs.