← knowledge.oriz.in

Hono rate-limit middleware (per-IP, sliding window via KV)

service securityanti-botrate-limithonocloudflare-workerskvprimary

Hono rate-limit middleware

Role

The API-layer of the family's anti-bot defense-in-depth. A custom Hono middleware in the umbrella api.oriz.in Worker that throttles requests on a per-IP, sliding-window basis using Workers KV as the counter store. Sits behind the Cloudflare WAF (zone-wide coarse limits) and in front of the route handlers. Each route declares its own budget.

Why custom rather than Cloudflare zone-level rate-limit

Implementation sketch

import { rateLimit } from "@chirag127/oriz-kit/server";

app.use(
  "/api/contact",
  rateLimit({
    namespace: env.RATE_LIMIT_KV,   // KV binding
    windowMs: 60_000,                // 1-minute sliding window
    limit: 10,                       // 10 req / IP / minute
    keyBy: (c) => c.req.header("CF-Connecting-IP") ?? "unknown",
    onLimit: (c) => c.json({ error: "too many requests" }, 429),
  }),
);

Lives in @chirag127/oriz-kit/server so every Worker route in the family imports the same middleware — no per-Worker re-implementation.

Free tier

Runs entirely on existing free-tier resources:

Card / subscription required?

NO. No external vendor; runs on the existing Cloudflare account.

KV-write quota: the only thing to watch

The 1k writes/day KV cap is the binding constraint. Mitigations (per the worker quota mitigation playbook):

Alternatives

Swap cost

Low. Middleware lives in @chirag127/oriz-kit/server; swap the storage backend (KV → Upstash) by replacing the namespace adapter. Per-route budgets stay declarative.

Why this is our pick

Three layers of bot defense (decision) need a per-route, fine-grained throttle. Cloudflare's free WAF covers the zone; Turnstile covers form-submit; Hono rate-limit covers everything else — and runs on substrate the family already pays nothing for.

Cross-refs