Rate limiting REST requests on Heroku

To avoid abuse开发者_JAVA技巧 I'd like to add rate limiting to the REST API in our Rails application. After doing a bit of research into this it looks like the best practice is to move this responsibility into the web server rather than checking for this in the application itself. Unfortunately this can't be done in my case as I'm hosting the application on Heroku and so have no control over the web server set up.

What should be done in this case to stop abuse of the API?

I think what you are looking for is the rack-throttle or rack-attack gem. Both of them allow throttling and the rack-attack gem also allows you to time people out for a certain period of time and block certain IP addresses if they are multiple time offenders or for whatever other reason you would want to block requesters.

Consider putting a cookie on the client, or better yet, a field on the user account that records the last time they made a request (many authentication plugins do this already), and simply reject/delay their request if it's more recent than, say, 5 seconds ago (20 requests/second).

NOTE: If using a single-threaded web server (e.g. Mongrel) putting in an explicit delay rather than a rejection might delay other pending request on that Mongrel. In other words, it's going to impact your other users. Maybe a small javascript/ajax response to notify the user that they are being rate limited, if that is appropriate. Think how StackOverflow prevents you from doing certain things too often on the site.