from rest_framework.throttling import UserRateThrottle
class BurstRateThrottle(UserRateThrottle):
"""Allow short bursts of requests."""
scope = 'burst'
class SustainedRateThrottle(UserRateThrottle):
"""Limit sustained request rate."""
scope = 'sustained'
REST_FRAMEWORK = {
'DEFAULT_THROTTLE_CLASSES': [
'api.throttling.BurstRateThrottle',
'api.throttling.SustainedRateThrottle',
],
'DEFAULT_THROTTLE_RATES': {
'anon': '100/day',
'user': '1000/day',
'burst': '60/min',
'sustained': '1000/hour',
}
}
from rest_framework import viewsets
from rest_framework.throttling import UserRateThrottle
from .models import Article
from .serializers import ArticleSerializer
class ExpensiveOperationThrottle(UserRateThrottle):
rate = '10/hour'
class ArticleViewSet(viewsets.ModelViewSet):
queryset = Article.objects.all()
serializer_class = ArticleSerializer
def get_throttles(self):
"""Apply stricter throttling to create/update."""
if self.action in ['create', 'update', 'partial_update']:
return [ExpensiveOperationThrottle()]
return super().get_throttles()
Throttling prevents API abuse by limiting request rates. DRF provides AnonRateThrottle for anonymous users and UserRateThrottle for authenticated users. I configure rates in settings like 'user': '100/hour'. For custom logic, I subclass BaseThrottle and implement allow_request(). Throttle scope lets me set different rates for different endpoints. I use Redis as cache backend for production to share throttle state across servers. The 429 Too Many Requests response includes a Retry-After header. This protects APIs from both malicious attacks and client bugs causing request loops.
