Rate limiting prevents your Mattermost server from being overloaded with too many requests, and decreases the risk and impact of third-party applications or malicious attacks on your server. Configure rate limiting settings by going to System Console > Environment > Rate Limiting, or by editing the config.json file as described in the following tables. Changes to configuration settings in this section require a server restart before taking effect.

Enable rate limiting

Available in legacy Enterprise Edition E10/E20

Enable or disable rate limiting to throttle APIs to a specified number of requests per second.

  • true: APIs are throttled at the rate specified by the Maximum queries per second configuration setting.

  • false: (Default) API access isn’t throttled.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.Enable: false”,

  • Environment variable: MM_RATELIMITSETTINGS_ENABLE

Maximum queries per second

Available in legacy Enterprise Edition E10/E20

Throttle the API at this number of requests per second when rate limiting is enabled.

Numerical input. Default is 10.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.PerSec: 10,

  • Environment variable: MM_RATELIMITSETTINGS_PERSEC

Maximum burst size

Available in legacy Enterprise Edition E10/E20

The maximum number of requests allowed beyond the per second query limit when rate limiting is enabled.

Numerical input. Default is 100.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.MaxBurst: 100,

  • Environment variable: MM_RATELIMITSETTINGS_MAXBURST

Memory store size

Available in legacy Enterprise Edition E10/E20

The maximum number of user sessions connected to the system as determined by vary rate limit settings when rate limiting is enabled.

Numerical input. Default is 10000. Typically set to the number of users in the system.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.MemoryStoreSize: 10000,

  • Environment variable: MM_RATELIMITSETTINGS_MEMORYSTORESIZE

Vary rate limit by remote address

Available in legacy Enterprise Edition E10/E20

Configure Mattermost to rate limit API access by IP address when rate limiting is enabled.

  • true: (Default) Rate limit API access by IP address. Recommended when using a proxy.

  • false: Rate limiting does not vary by IP address.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.VaryByRemoteAddr: true,

  • Environment variable: MM_RATELIMITSETTINGS_VARYBYREMOTEADDR

Vary rate limit by user

Available in legacy Enterprise Edition E10/E20

Configure Mattermost to rate limit API access by authentication token or not when rate limiting is enabled.

  • true: Rate limit API access by user authentication token. Recommended when using a proxy.

  • false: (Default) Rate limiting does not vary by user authentication token.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.VaryByUser: false,

  • Environment variable: MM_RATELIMITSETTINGS_VARYBYUSER

Vary rate limit by HTTP header

Available in legacy Enterprise Edition E10/E20

Configure Mattermost to vary rate limiting API access by the HTTP header field specified. Recommended when you’re using a proxy.

  • When configuring NGINX, set this to X-Real-IP.

  • When configuring AmazonELB, set this to X-Forwarded-For.

  • System Config path: Environment > Rate Limiting

  • config.json setting: ".RateLimitSettings.VaryByHeader: "",

  • Environment variable: MM_RATELIMITSETTINGS_VARYBYHEADER