How to Configure Rate Limiting
Rate limiting is enabled by default in Framework M to protect against brute-force attacks and resource exhaustion.
Global Configuration
You can control the global rate limit using environment variables:
| Variable | Description | Default |
|---|---|---|
FRAMEWORK_M_RATE_LIMIT_REQUESTS | Number of requests allowed per unit | 60 (prod), 300 (dev) |
FRAMEWORK_M_RATE_LIMIT_UNIT | Time unit (second, minute, hour, day) | minute |
FRAMEWORK_M_RATE_LIMIT_EXCLUDE | Regex pattern for paths to exclude | (None) |
Route-Level Overrides
For sensitive endpoints like login or heavy reporting, use the @rate_limit decorator to apply granular policies:
from framework_m_standard.adapters.web.decorators import rate_limit
@get("/login")
@rate_limit(requests=5, unit="minute") # Strict policy for brute-force protection
async def login_handler():
...
Distributed Rate Limiting (Redis)
In a multi-node production environment, you must use Redis to synchronize counters across all workers.
- Install Redis (or use a managed service).
- Set the environment variable:
export REDIS_URL="redis://localhost:6379/0"
- Framework M will automatically detect
REDIS_URLand switch from the in-memory store to theRedisStoreadapter.
Bypassing for CI/Internal Traffic
In CI environments where you perform high-frequency automated tests or screenshot captures, you can disable the middleware entirely:
export FRAMEWORK_M_RATE_LIMIT_EXCLUDE=".*"
[!WARNING] Only use
.*in trusted CI or local development environments. Never use this in production.