Disable or Adjust Laravel Rate Limiter: A Step-by-Step Guide

The Laravel framework includes a powerful rate limiter middleware to protect your application from excessive requests. It can be applied to any route your application has. By default, however, Laravel applies it to all routes starting with /api.

In some cases, you may need to adjust or disable the rate limiter to accommodate specific requirements, and prevent seeing the “429 Too Many Requests” error.

In this guide, we’ll walk you through the steps to either disable or adjust the Laravel rate limiter. Let’s get started!

Step 1: Locate the Rate Limiter Middleware

Open your Laravel project and locate app/Http/Kernel.php. Among other things, this file defines if rate limiting is applied and at which rates it will trigger an error message instead of handling the request. We can simply edit this file to customize the application’s behavior.

Step 2: Comment Out the Throttle Middleware

Inside the Kernel.php file, you’ll find the $middlewareGroups array, under the ‘api’ group. By default, Laravel will only apply rate-limiting middleware under api. The web group is typically used for web routes accessed by users in the browsers, while the api group is used for API routes accessed more behind the scenes by scripts and applications.

If you want to disable the rate limiter for API routes, you need to find and comment the following line of code within the api middleware group accordingly. Note that the line can look slightly different, depending on your Laravel version:

<?php

namespace App\Http;

use Illuminate\Foundation\Http\Kernel as HttpKernel;

class Kernel extends HttpKernel
{    
    // Other Kernel variables ..
    
    protected $middlewareGroups = [
        'web' => [
            \App\Http\Middleware\EncryptCookies::class,
            \Illuminate\Cookie\Middleware\AddQueuedCookiesToResponse::class,
            \Illuminate\Session\Middleware\StartSession::class,
            \Illuminate\View\Middleware\ShareErrorsFromSession::class,
            \App\Http\Middleware\VerifyCsrfToken::class,
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],

        'api' => [
            // \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
            \Illuminate\Routing\Middleware\ThrottleRequests::class.':api', // Laravel 10 and newer
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],
    ];
    
    // ..
}

To completely deactivate the rate limiter for all your api routes you can simply comment it out like shown below:

// ..
    
    protected $middlewareGroups = [
        // ..
        'api' => [
            // \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
            // \Illuminate\Routing\Middleware\ThrottleRequests::class.':api', // Comment this line
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],
    ];
    
    // ..
}

Step 3: Adjust Rate Limit Settings

For an API in production use, I recommend tweaking the limits instead of disabling the rate-limiting completely.

If you prefer to keep rate limiting in place but want to modify the limits, you can adjust the throttle middleware’s parameters. The format for the throttle middleware is 'throttle:requests,minutes'. You can customize the ‘throttle:requests,minutes’ format to set your preferred limits.

You can adjust the numbers as needed for your specific use case. For example, to limit requests to 60 per minute, you can use:

// ..
    
    protected $middlewareGroups = [
        // ..
        'api' => [
            // \Laravel\Sanctum\Http\Middleware\EnsureFrontendRequestsAreStateful::class,
            'throttle:60,1', // configure throttle requests+minutes here
            \Illuminate\Routing\Middleware\SubstituteBindings::class,
        ],
    ];
    
    // ..
}

Step 4: Save the Changes

After making the necessary adjustments to the Kernel.php file, save it. You should now be able to open the route as many times as needed, without seeing the error message: 429 Too Many Requests.

You can test this for example by opening the route in the browser and just pressing F5, fast and a lot of times 🙂

Frequently Asked Questions

How to remove rate limiting only for a specific API route?

1. First, remove global rate limiting by editing app/Http/Middleware/Kernel.php, scrolling to $middlewareGroups and commenting out lines: ThrottleRequests::class and, if present, throttle:60,1
2. Apply rate limiting only to a group of routes by editing routes/api.php and using the following code:

// Routes outside the group (without ThrottleRequests middleware)
Route::get('/public-route', function () {
    dd('public-route');
});

// Routes inside the group (with ThrottleRequests middleware)
Route::middleware([\Illuminate\Routing\Middleware\ThrottleRequests::class])->group(function () {
    Route::get('/protected-route-1', function () {
        dd('protected-route-1');
    });
    Route::get('/protected-route-2', function () {
        dd('protected-route-1');
    });
});

Conclusion

Disabling or adjusting the Laravel rate limiter can be useful for handling specific scenarios where rate limiting may not be suitable. By following these steps and editing the Kernel.php file, you can effectively fix the “429 Too Many Requests” error and tailor the rate limiting to your application’s needs.

It’s important to note that rate limiting serves a crucial purpose in protecting your application. By setting appropriate values you’ll prevent server overload and ensure fair usage of your resources. Therefore, before deciding to disable it entirely, carefully consider your application’s requirements and the potential impact on its performance.

Happy coding!

References

• Global Middleware (Laravel Documentation)
• Assigning Middleware to routes (Laravel Documentation)