Fixed Window
The simplest algorithm. The time axis is split into fixed intervals (windows). Each window has its own counter that resets when the window expires.Pros
- Simple to understand and implement
- Very fast — just
INCRandEXPIREin Redis - Predictable — users know their quota resets every N seconds
Cons
- Boundary burst problem: A user can make
2× limitrequests by hittinglimitjust before the window ends, thenlimitagain at the start of the next window.
When to use
- Login rate limiting (e.g. 5 attempts per minute)
- Email sending limits (e.g. 100 emails per hour)
- Simple API quotas
Sliding Window
A more accurate approach. Instead of a fixed reset interval, the window slides continuously relative to the current time.Pros
- No boundary burst problem
- Smooth, accurate limiting
- Better user experience for high-frequency APIs
Cons
- Slightly more complex to implement
- Uses more Redis memory (stores request timestamps)
When to use
- API endpoints where burst attacks matter
- Real-time systems (e.g. webhook deliveries, AI completions)
- High-traffic endpoints
Comparison
| Fixed Window | Sliding Window | |
|---|---|---|
| Reset behavior | Hard reset | Rolling |
| Burst vulnerability | Yes | No |
| Redis complexity | Low | Medium |
| Best for | Simple limits | Accurate limits |
Choosing in the Dashboard
When creating a rule, select the algorithm from the dropdown:- FIXED_WINDOW — Simple, fast, good default
- SLIDING_WINDOW — More accurate, better for security-sensitive routes