How to protect a tunnel with rate limiting

Rate limits cap how many requests a client can send in a time window. Your laptop stays up when someone hammers a public tunnel URL.

Free plan: 1 rate-limit policy. Pro / PAYG: 10.

Step 1 — Create the policy

1. Open Dashboard → Security → Rate Limiting.
2. Choose per-IP or global limits, window (second/minute/hour), and burst if needed.
3. Copy ngsrv_rate_….

Step 2 — Attach to a tunnel

ngsrv http 4242 --subdomain hooks --policy ngsrv_rate_stripe

port: 4242
subdomain: hooks
security_policies:
  - ngsrv_rate_stripe

Webhook receivers

Stripe can send bursts on busy accounts. Set limits above your expected peak so legitimate events pass; you are mainly blocking scanners and accidental loops.

Response codes

Policies can return 429 (Too Many Requests) or 503 — pick what matches your API conventions.

More: Rate limiting docs