Kevin Bond
Contributed by Kevin Bond in #59929 and #60155

The Rate Limiter component lets you to control how often a certain event can occur. It's commonly used to to limit login attempts, restrict file downloads, enforce request limits in your APIs, and more.

Sometimes, your rate limiting policies can be complex and require combining multiple individual policies. While this has been possible using the CompoundLimiter class, it previously required custom logic on your end.

In Symfony 7.3, we've improved this with configurable compound limiters. For example, to configure a compound rate limiter for your contact form:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
# config/packages/framework.yaml
framework:
    rate_limiter:
        two_per_minute:
            policy: 'fixed_window'
            limit: 2
            interval: '1 minute'
        five_per_hour:
            policy: 'fixed_window'
            limit: 5
            interval: '1 hour'
            lock_factory: null
        contact_form:
            policy: 'compound'
            limiters: [two_per_minute, five_per_hour]

With this setup, users can send up to two contact messages per minute, and no more than five messages within an hour. In your controller or service, inject this rate limiter just like any other limiter:

1
2
3
4
5
public function contactAction(RateLimiterFactoryInterface $contactFormLimiter)
{
    // $contactFormLimiter is a CompoundRateLimiterFactory containing
    // "two_per_minute" & "five_per_hour"
}
Published in #Living on the edge