2019-12-21 20:55:43 +05:30
---
2021-01-29 00:20:46 +05:30
stage: none
group: unassigned
2021-02-22 17:27:13 +05:30
info: To determine the technical writer assigned to the Stage/Group associated with this page, see https://about.gitlab.com/handbook/engineering/ux/technical-writing/#assignments
2019-12-21 20:55:43 +05:30
type: reference
---
2021-03-11 19:13:27 +05:30
# Protected paths **(FREE SELF)**
2019-12-21 20:55:43 +05:30
2021-12-11 22:18:48 +05:30
Rate limiting is a technique that improves the security and durability of a web
application. For more details, see [Rate limits ](../../../security/rate_limits.md ).
2020-04-22 19:07:51 +05:30
2021-12-11 22:18:48 +05:30
You can rate limit (protect) specified paths. For these paths, GitLab responds with HTTP status
code `429` to POST requests at protected paths that exceed 10 requests per minute per IP address.
2019-12-21 20:55:43 +05:30
For example, the following are limited to a maximum 10 requests per minute:
- User sign-in
- User sign-up (if enabled)
- User password reset
2021-12-11 22:18:48 +05:30
After 10 requests, the client must wait 60 seconds before it can try again.
See also:
- List of paths [protected by default ](../../../administration/instance_limits.md#by-protected-path ).
- [User and IP rate limits ](../../admin_area/settings/user_and_ip_rate_limits.md#response-headers )
for the headers returned to blocked requests.
2019-12-21 20:55:43 +05:30
2021-12-11 22:18:48 +05:30
## Configure protected paths
2019-12-21 20:55:43 +05:30
2021-11-18 22:05:49 +05:30
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/31246) in GitLab 12.4.
2019-12-21 20:55:43 +05:30
Throttling of protected paths is enabled by default and can be disabled or
customized on **Admin > Network > Protected Paths** , along with these options:
- Maximum number of requests per period per user.
- Rate limit period in seconds.
- Paths to be protected.
Requests over the rate limit are logged into `auth.log` .
