Rate limiting is a technique that improves the security and durability of a web application. For more details, see Rate limits.
You can rate limit (protect) specified paths. For these paths, GitLab responds with HTTP status
429 to POST requests at protected paths that exceed 10 requests per minute per IP address.
For example, the following are limited to a maximum 10 requests per minute:
- User sign-in
- User sign-up (if enabled)
- User password reset
After 10 requests, the client must wait 60 seconds before it can try again.
- List of paths protected by default.
- User and IP rate limits for the headers returned to blocked requests.
Introduced in GitLab 12.4.
Throttling of protected paths is enabled by default and can be disabled or customized on Admin > Network > Protected Paths, along with these options:
- Maximum number of requests per period per user.
- Rate limit period in seconds.
- Paths to be protected.
Requests over the rate limit are logged into