AnonRateThrottle in Django REST framework

valentinogagliardi · March 31, 2021, 7:36am

Hi there! I’ve been experimenting with throttling in DRF, and I noticed that rest_framework.throttling.AnonRateThrottle does not work as I was expecting. Does this throttle class limit nonauthenticated users? The following configuration described in DRF docs does work well for authenticated users, but it does not rate limit anonymous users:

REST_FRAMEWORK = {
    'DEFAULT_THROTTLE_CLASSES': [
        'rest_framework.throttling.AnonRateThrottle',
        'rest_framework.throttling.UserRateThrottle'
    ],
    'DEFAULT_THROTTLE_RATES': {
        'anon': '100/day',
        'user': '1000/day'
    }
}

Am I missing something? Thanks!

CodenameTim · March 31, 2021, 10:23pm

That looks correct to me. How are you testing this and what results are you seeing?

Take a look at the DRF source code and how it generates the unique ID for the anonymous user. It’s possible your test case is being considered unique anonymous users.

Topic		Replies	Views
DRF throttling, how to rate limit requests for token users only? Using Django	5	1682	February 26, 2021
DRF throttle monitoring Getting Started	1	643	April 5, 2023
[SOLVED] AllowAny override does not work on APIView Using Django	2	2573	September 19, 2021
Security Best Practices for an API with DRF Using Django	2	1982	November 24, 2019
DRF Testing and Custom Permissions Using Django	1	6260	November 7, 2019

AnonRateThrottle in Django REST framework

Related Topics