Rate limiting prevents your Mattermost server from being overloaded with too many requests, and decreases the risk and impact of third-party applications or malicious attacks on your server.

Configure rate limiting settings by going to System Console > Environment > Rate Limiting, or by editing the config.json file as described in the following tables. Changes to configuration settings in this section require a server restart before taking effect.

Important

Mattermost rate limiting configuration settings are intended for small deployments of Mattermost up to a few hundred users, and is not intended for larger, Enterprise-scale deployments.

Enable rate limiting

Enable or disable rate limiting to throttle APIs to a specified number of requests per second.

  • true: APIs are throttled at the rate specified by the Maximum queries per second configuration setting.

  • false: (Default) API access isn’t throttled.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.Enable: false”,

  • Environment variable: MM_RATELIMITSETTINGS_ENABLE

Maximum queries per second

Throttle the API at this number of requests per second when rate limiting is enabled.

Numerical input. Default is 10.

Increase this value to accept more requests each second, and decrease this value to allow fewer requests.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.PerSec: 10,

  • Environment variable: MM_RATELIMITSETTINGS_PERSEC

Maximum burst size

The maximum number of requests allowed beyond the per second query limit when rate limiting is enabled.

Numerical input. Default is 100.

Increase this value to allow for more concurrent requests to be handled, and decrease this value to limit this capacity.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.MaxBurst: 100,

  • Environment variable: MM_RATELIMITSETTINGS_MAXBURST

Memory store size

The maximum number of user sessions connected to the system as determined by vary rate limit settings when rate limiting is enabled.

Numerical input. Default is 10000. Typically set to the number of users in the system.

We recommend setting this value to the expected number of users. A higher value may result in underutilized resources, and a lower value may result in user sessions/tokens expiring too frequently.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.MemoryStoreSize: 10000,

  • Environment variable: MM_RATELIMITSETTINGS_MEMORYSTORESIZE

Vary rate limit by remote address

Configure Mattermost to rate limit API access by IP address when rate limiting is enabled.

  • true: (Default) Rate limit API access by IP address. Recommended when using a proxy.

  • false: Rate limiting does not vary by IP address.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.VaryByRemoteAddr: true,

  • Environment variable: MM_RATELIMITSETTINGS_VARYBYREMOTEADDR

Vary rate limit by user

Configure Mattermost to rate limit API access by authentication token or not when rate limiting is enabled.

  • true: Rate limit API access by user authentication token. Recommended when using a proxy.

  • false: (Default) Rate limiting does not vary by user authentication token.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.VaryByUser: false,

  • Environment variable: MM_RATELIMITSETTINGS_VARYBYUSER

Vary rate limit by HTTP header

Configure Mattermost to vary rate limiting API access by the HTTP header field specified. Recommended when you’re using a proxy.

  • When configuring NGINX, set this to X-Real-IP.

  • When configuring AmazonELB, set this to X-Forwarded-For.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.VaryByHeader: "",

  • Environment variable: MM_RATELIMITSETTINGS_VARYBYHEADER