Protected paths
- Tier: Free, Premium, Ultimate
- Offering: GitLab Self-Managed
Rate limiting is a technique that improves the security and durability of a web application. For more details, see Rate limits.
You can rate limit (protect) specified paths. For these paths, GitLab responds with HTTP status
code 429 to POST requests that exceed 10 requests per minute per IP address and GET requests that exceed 10 requests per minute per IP address at protected paths.
For example, the following are limited to a maximum 10 requests per minute:
- User sign-in
- User sign-up (if enabled)
- User password reset
After 10 requests, the client must wait 60 seconds before it can try again.
See also:
- List of paths protected by default.
- User and IP rate limits for the headers returned to blocked requests.
Configure protected paths
Throttling of protected paths is enabled by default and can be disabled or customized.
- On the left sidebar, at the bottom, select Admin.
- Select Settings > Network.
- Expand Protected paths.
Requests that exceed the rate limit are logged in auth.log.
Docs
Edit this page to fix an error or add an improvement in a merge request.
Create an issue to suggest an improvement to this page.
Product
Create an issue if there's something you don't like about this feature.
Propose functionality by submitting a feature request.
Feature availability and product trials
View pricing to see all GitLab tiers and features, or to upgrade.
Try GitLab for free with access to all features for 30 days.
Get help
If you didn't find what you were looking for, search the docs.
If you want help with something specific and could use community support, post on the GitLab forum.
For problems setting up or using this feature (depending on your GitLab subscription).
Request support