Traffic Control · Coming soon
Rate Limiter Module
Sliding-window rate limiting done right — IP/user isolation, standard 429 headers, and fail-open degradation most teams get wrong by hand.
What it defends
HARDENED is scored on the four universal axes. Where an axis falls outside this module’s job it is marked N/A and justified in the security design doc — never quietly skipped.
| Judgment axis | FREE | HARDENED |
|---|---|---|
| 1 · Access Control | — | N/A — Not an auth module — access control is out of scope by design, documented in the security design doc. |
| 2 · Input & Abuse Defense | — | ✓ Abuse-pattern detection + per-endpoint differentiated limits (the module's core). |
| 3 · Safe Failure | — | ✓ Distributed graceful degradation (fail-open + alerting) with context-separated responses. |
| 4 · Accountability | — | ✓ Limit-exceeded events logged for accountability. |
What’s in the box
| Deliverable | FREE | HARDENED |
|---|---|---|
| Core counter algorithm (source, SSPL) | ✓ | ✓ |
| Sliding-window counter (Redis) | — | ✓ |
| IP- and user-ID-based isolation | — | ✓ |
| Automatic 429 + standard rate-limit headers | — | ✓ |
| Per-endpoint differentiated limits | — | ✓ |
| Abuse-pattern detection | — | ✓ |
| Distributed graceful degradation (fail-open + alerts) | — | ✓ |
| TypeScript SDK | — | ✓ |
| Docker production image (hardened defaults) | — | ✓ |
| Security design doc (the why behind each choice) | — | ✓ |
| Lifetime updates | — | ✓ |
FAQ
Sliding window or fixed window — and why does it matter?
It uses a sliding-window counter. A fixed window lets a caller fire a full quota at the very end of one window and another full quota at the start of the next — effectively double your intended rate at the boundary. The sliding window smooths that out, so the limit you configure is the limit you actually enforce.
Does it work across multiple servers or instances?
Yes. Counters live in Redis, so every instance shares one view of a caller's usage. Horizontal scaling won't quietly multiply your effective limit the way per-process in-memory counters do.
What happens if Redis goes down?
It degrades gracefully — fail-open, so a limiter outage never takes your API down with it — and it raises an alert so you know the limiter is running unprotected instead of failing silently.
Can I set different limits per endpoint?
Yes. Per-endpoint differentiated limits are built in — a cheap read and an expensive write don't have to share one blanket number. Limits are also isolated per IP and per user ID, so one noisy client can't spend everyone else's budget.
What does abuse-pattern detection actually catch?
It flags traffic shapes a plain counter misses — bursts spread across many IPs, credential-stuffing-style retries, and clients that pace themselves to sit just under a static limit. These feed the limit-exceeded log so you can see abuse, not just block it.
Why is Access Control marked N/A on the defense matrix?
A rate limiter throttles traffic; it does not decide who is allowed in. Authentication is a separate module's responsibility (see API Key Manager). We mark the axis N/A and document why in the design doc rather than implying coverage we don't provide.
Does it return standard 429 responses and headers?
Yes. Over-limit requests get a 429 with the standard rate-limit headers automatically, so well-behaved clients can back off on their own. Every limit-exceeded event is logged for after-the-fact accountability.
Is it really a one-time payment?
Yes. You pay once and receive every future update of that module for free — there is no subscription, and no per-seat or per-request billing. New versions are pushed through Gumroad to everyone who bought the module.
What exactly does HARDENED add over the FREE core?
FREE is the core algorithm, published so you can read and verify the approach. HARDENED is the production layer around it — everything in the deliverables table above: the SDK, the Docker image, the operational defenses, and the security design doc that explains why each decision was made.
What license is the FREE core under?
SSPL. You can read, run, and verify the core algorithm in the open. The license blocks repackaging it as a competing commercial service; normal use inside your own product is fine.
How is the module delivered, and what do I get at checkout?
Through Gumroad. After checkout you receive a download with the source, the Docker image reference, and your license key by email — there is no separate account to manage on this site.
What if it doesn't fit my stack?
Read the FREE core first. It is public precisely so you can confirm the design and the integration shape before paying for HARDENED — if the approach doesn't match your stack, you'll know before you buy.
How do I get support and security updates?
Every module ships with a security design doc covering intended behavior and trade-offs, and update notes are published with each release. AUDITED modules add 30 days of email security Q&A; HARDENED does not include bespoke support.