API Intro + Rate Limits (SaaS)
Configuring rate limits
- Use case: Rate limits prevent denial-of-service or brute-force attacks. IP blocks usually happen when GitLab.com receives unusual traffic from a
single IP address that the system views as potentially malicious based on rate limit settings.
- Benefit: They improve the security and durability of your application.
- Get started: Configure GitLab.com-specific rate limits in your admin
settings.
GitLab.com-specific block responses
-
“403 forbidden” error: If it’s associated with all
GitLab.com requests, look for an automated process that could’ve triggered a block. For further assistance,
provide GitLab support with the error details—including the affected IP address.
-
HAProxy API throttle: GitLab.com responds with HTTP status code 429 to
API requests that exceed 10 requests per second, per IP address.
-
Protected paths throttle: GitLab.com responds with HTTP status
code 429 to POST requests at protected paths that exceed 10 requests per minute, per IP address.
-
Git and container registry failed authentication ban:
GitLab.com responds with HTTP status code 403 for one hour if it receives 30 failed authentication requests within three minutes from a single IP
address.
Your rate limit checklist