Rate limit

[lucasdupin]

It would be nice to have rate limits for collections, restricting by IPs.
After n requests, the request should be dropped, for security reasons, as in a honey pot.

Suggestion:
It can be declarative, in the security.yml, like this:

collections:
  auths:
    max_request_per_minute: 100

[endel]

I'll leave a quotation for further reference here:

To prevent abuse, it is standard practice to add some sort of rate limiting to an API. RFC 6585 introduced a HTTP status code 429 Too Many Requests to accommodate this.

However, it can be very useful to notify the consumer of their limits before they actually hit it. This is an area that currently lacks standards but has a number of popular conventions using HTTP response headers.

At a minimum, include the following headers (using Twitter's naming conventions as headers typically don't have mid-word capitalization):

• X-Rate-Limit-Limit - The number of allowed requests in the current period
• X-Rate-Limit-Remaining - The number of remaining requests in the current period
• X-Rate-Limit-Reset - The number of seconds left in the current period

Source: http://www.vinaysahni.com/best-practices-for-a-pragmatic-restful-api