Rate Limiting

$bolt.rateLimit(nMax, nWindow)

Configure per-IP rate limiting. Each client IP gets its own counter.

$bolt.rateLimit(100, 60)  # 100 requests per 60 seconds per IP

$bolt.checkRateLimit()

Check if current request is rate limited (returns 1 if allowed, 0 if limited). Rate limiting is per client IP.

if !$bolt.checkRateLimit()
    $bolt.sendWithStatus(429, "Too many requests")
    return
ok

The per-IP rate limiter and per-route governor limiters both run periodic cleanup (every 5 minutes) to remove expired entries, preventing unbounded memory growth from unique IP addresses. A warning is logged when a per-route limiter exceeds 10,000 tracked keys.

CORS Validation