Rate limiting at the edge
Demonstrate that rate limiting mechanisms are configured and enforced at edge infrastructure to restrict abusive or excessive request volumes before they reach backend systems.
Description
What this control does
Rate limiting at the edge restricts the number of requests a client can make to protected resources within a defined time window, enforced at perimeter infrastructure such as CDNs, API gateways, load balancers, or web application firewalls. The control applies configurable thresholds based on criteria like IP address, user session, API key, or geographic origin to drop or delay excessive requests before they reach backend systems. This prevents resource exhaustion attacks, maintains service availability during traffic spikes, and reduces exposure to credential stuffing, scraping, and volumetric denial-of-service attempts.
Control objective
What auditing this proves
Demonstrate that rate limiting mechanisms are configured and enforced at edge infrastructure to restrict abusive or excessive request volumes before they reach backend systems.
Associated risks
Risks this control addresses
- Distributed denial-of-service (DDoS) attacks overwhelming application or API endpoints
- Credential stuffing campaigns executing thousands of authentication attempts against login endpoints
- Automated web scraping depleting bandwidth and exposing proprietary data or pricing information
- Application-layer resource exhaustion causing degraded performance or unavailability for legitimate users
- API abuse where malicious actors enumerate endpoints or extract sensitive data through high-volume queries
- Brute-force attacks against authentication mechanisms or administrative interfaces
- Economic loss from cloud egress charges or compute costs triggered by unbounded request volumes
Live threat patterns this control mitigates:
Testing procedure
How an auditor verifies this control
- Identify all edge infrastructure components in scope including CDN configurations, API gateways, web application firewalls, and reverse proxies.
- Review rate limiting policy documentation to confirm defined thresholds, time windows, enforcement actions (block, throttle, CAPTCHA), and exemption criteria.
- Export and examine rate limiting configurations from each edge component, noting threshold values, rate keys (IP, session, API key), and enforcement rules.
- Select a representative sample of critical endpoints including authentication APIs, public-facing web services, and data retrieval endpoints.
- Simulate rate limit enforcement by executing scripted requests exceeding configured thresholds against sampled endpoints and observe enforcement behavior.
- Review access logs and rate limiting telemetry for the past 90 days to verify enforcement activity, including blocked requests, throttling events, and triggered alerts.
- Interview platform engineers or security operations staff to confirm monitoring practices, tuning procedures, and incident response for rate limit breaches.
- Validate that rate limiting configurations are version-controlled, subject to change management, and tested during deployments or configuration updates.