Missing request timeouts and rate limits allow resource exhaustion

warning

availabilityUpdated Mar 25, 2026

Sources

FastAPI/Starlette Lifecycle Guide: Startup Order, Pitfalls, Best ...medium.com

Technologies:

NGINXNGINX metrics correlate with this issue and help confirm diagnosis

Kong GatewayKong Gateway metrics correlate with this issue and help confirm diagnosis

Envoy ProxyEnvoy Proxy metrics correlate with this issue and help confirm diagnosis

How to detect:

Starlette/FastAPI does not include built-in per-request timeouts or rate limiting. Without these protections, slow clients, misbehaving endpoints, or attack traffic can hold workers indefinitely, exhaust connection pools, and degrade service availability for all users.

Recommended action:

Implement request timeouts and rate limiting via custom middleware or APIRoute wrappers (see WrappedRoute example). Alternatively, enforce these controls at the API gateway or reverse proxy layer (Nginx limit_req, Kong rate-limiting plugin, Envoy local_rate_limit). Monitor http.server.request.duration and starlette.requests.total to detect abuse patterns.