Ratelimit

Protecting Endpoints

All public facing endpoints of the Klub plugin are protected by a ratelimit with the default of 12*60 / hour which means that after hitting 720 requests any further requests will be blocked with an 429-HTTP status error code until that one hour has passed.

The stored data is an encrypted version of the visitors IP address.

Here is an example on how you could use the ratelimit in a custom endpoint.

site/config/config.php
<?php

return [
   'routes' => [
        [
            'pattern' => 'my/endpoint',
            'method' => 'POST',
            'action' => function () {
                $token = get('token');
                if (csrf($token) === false) {
                    return Response::json([], 401);
                }

                if (! site()->ratelimit()) {
                    return Response::json([], 429);
                }

                $user = kirby()->user();
                if (! $user) {
                    return Response::json([], 401);
                }

                // DO STUFF

                $redirect = get('redirect', site()->url());

                go($redirect);
            },
        ],
    ],
    // other options
];

In addition to changing the upper limit in the config settings you can also provide a number as parameter of the function if you want change only a single instance.

if (! site()->ratelimit(100)) {
   return Response::json([], 429);
}
Kirby Klub is not affiliated with the developers of Kirby CMS. We are merely standing on the shoulder of giants.
© 2025 Bruno Meilick All rights reserved.