January 16, 2026

Rate-limit the drama

Article URL →HN comments →

HTTP RateLimit Headers

Web finally gets speed limits—but devs are fighting over dashes vs camelCase

TLDR: The IETF is standardizing HTTP RateLimit headers to help apps avoid “Too Many Requests.” Devs cheer the progress but argue over naming, messy implementations, and needing extra docs—half hopeful this reduces pain, half skeptical it’s another standard that still needs a cheat sheet.

The internet is getting its own speed limit signs: an IETF draft to standardize HTTP RateLimit headers so apps know when to chill before hitting the dreaded “429 Too Many Requests.” Think of it like a posted speed limit (RateLimit-Policy) and a live warning light (RateLimit) telling you how much gas you’ve got left. The article argues you don’t have to use clunky “reset-the-clock” quotas that cause burst-then-panic traffic; smoother, linear algorithms can play nice, too. But the community? Oh, they showed up with popcorn.

The strongest vibe: naming rage. One commenter fumed that mixing camelCase with dashes is a crime against humanity—“RateLimit-Remaining” vs “Rate-Limit-Remaining” sparked a full-on kebab-case vs camelCase culture war. Meanwhile, weary integrators begged for a real standard so they can stop duct-taping custom logic for every service. A maintainer from the Ky HTTP client dropped a spicy truth: the standard’s “late to the party,” implementations are all over the map, and formats don’t match—cue the “429 is the new 404” memes. Then came the confusion: folks asked why the spec keeps saying you’ll still need external docs. If the point is clarity, why the treasure hunt?

In short: hope meets skepticism. Some see relief on the horizon. Others see a new rulebook that still needs a manual. And yes, we’re rate-limiting the drama—barely.

Key Points

  • An IETF draft proposes standardized HTTP RateLimit headers to communicate throttling policies and limits.
  • The draft defines RateLimit-Policy (inputs: name, pk, q, w, qu) and RateLimit (outputs: name, pk, r, t) headers, supporting multiple named policies.
  • Quota-reset algorithms can cause burst-pause behavior; the article advocates linear algorithms like GCRA for smoother traffic.
  • Clients should adhere to q requests per w seconds and, after receiving RateLimit, not exceed r requests within t seconds.
  • A linear GCRA-based approach uses a per-client not-before timestamp, clamped within the window, with costs derived from quota units and interval.

Hottest takes

"It really irks me that the de facto rate limiting headers mix camel case with the more standard dashes" — ezekg
"The standard is very late to the party. I just hope it can actually ..." — sholladay
"I'm not sure I understand the motivation... you will have to read external documentation" — nitwit005

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.