@@ -8,6 +8,99 @@ GitLab, like most large applications, enforces limits within certain features to
minimum quality of performance. Allowing some features to be limitless could affect security,
performance, data, or could even exhaust the allocated resources for the application.
## Rate limits
Rate limits can be used to improve the security and durability of GitLab.
For example, a simple script can make thousands of web requests per second. Whether malicious, apathetic, or just a bug, your application and infrastructure may not be able to cope with the load. Rate limits can help mitigate these types of attacks.
Read more about [configuring rate limits](../security/rate_limits.md) in the Security documentation.
### Issue creation
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/28129) in GitLab 12.10.
This setting limits the request rate to the issue creation endpoint.
Read more on [issue creation rate limits](../user/admin_area/settings/rate_limit_on_issues_creation.md).
-**Default rate limit** - Disabled by default
### By User or IP
This setting limits the request rate per user or IP.
Read more on [User and IP rate limits](../user/admin_area/settings/user_and_ip_rate_limits.md).
-**Default rate limit** - Disabled by default
### By raw endpoint
> [Introduced](https://gitlab.com/gitlab-org/gitlab-foss/-/merge_requests/30829) in GitLab 12.2.
This setting limits the request rate per endpoint.
Read more on [raw endpoint rate limits](../user/admin_area/settings/rate_limits_on_raw_endpoints.md).
-**Default rate limit** - 300 requests per project, per commit and per file path
### By protected path
This setting limits the request rate on specific paths.
GitLab rate limits the following paths by default:
```plaintext
'/users/password',
'/users/sign_in',
'/api/#{API::API.version}/session.json',
'/api/#{API::API.version}/session',
'/users',
'/users/confirmation',
'/unsubscribes/',
'/import/github/personal_access_token',
'/admin/session'
```
Read more on [protected path rate limits](../user/admin_area/settings/protected_paths.md).
-**Default rate limit** - After 10 requests, the client must wait 60 seconds before trying again
### Import/Export
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/merge_requests/35728) in GitLab 13.2.
This setting limits the import/export actions for groups and projects.
| Limit | Default (per minute per user) |
| ----- | ----------------------------- |
| Project Import | 6 |
| Project Export | 6 |
| Project Export Download | 1 |
| Group Import | 6 |
| Group Export | 6 |
| Group Export | Download | 1 |
Read more on [import/export rate limits](../user/admin_area/settings/import_export_rate_limits.md).
### Rack attack
This method of rate limiting is cumbersome, but has some advantages. It allows
throttling of specific paths, and is also integrated into Git and container
registry requests.
Read more on the [Rack Attack initializer](../security/rack_attack.md) method of setting rate limits.
-**Default rate limit** - Disabled
## Gitaly concurrency limit
Clone traffic can put a large strain on your Gitaly service. To prevent such workloads from overwhelming your Gitaly server, you can set concurrency limits in Gitaly’s configuration file.
Read more on [Gitaly concurrency limits](gitaly/index.md#limit-rpc-concurrency).
-**Default rate limit** - Disabled
## Number of comments per issue, merge request or commit
> [Introduced](https://gitlab.com/gitlab-org/gitlab/-/issues/22388) in GitLab 12.4.
