form_rate_limit
brotkrueml/typo3-form-rate-limit
2.1
en
Chris Müller
This document is published under the Creative Commons BY 4.0 license.
Tue, 21 Apr 2026 15:51:37 +0000
The extension provides an additional form finisher for rate limiting when sending a form.
Table of contents
The extension provides a form finisher for the TYPO3 Form Framework for rate limiting when sending a form. This way a submission can be restricted to, for example:
If the limit is exceeded, a customizable error is displayed.
This extension uses semantic versioning which basically means for you, that
Target group: Administrators
Note
The extension in version 2.1 supports TYPO3 v13 LTS and TYPO3 v14 LTS.
The recommended way to install this extension is by using Composer. In your Composer-based TYPO3 project root, just type:
composer req brotkrueml/typo3-form-rate-limitand the recent stable version will be installed.
In classic mode, you can also install the extension from the TYPO3 Extension Repository (TER).
Then continue with the configuration.
Target group: Developers, Integrators
This extension provides support for site sets.
Add
brotkrueml/ as dependency to the configuration of
your site package:
name: your-vendor/your-sitepackage
label: Sitepackage
dependencies:
# ... some other dependencies
- brotkrueml/form-rate-limitThe extension ships some TypoScript code which needs to be included.
Note
This is only necessary, if not using site sets.
Include TypoScript sets
Target group: Integrators
Note
For now, the finisher can only be integrated directly into the YAML form definition and not via the Forms module.
Under the hood, the symfony/rate-limiter is used. This is the same rate limiter that TYPO3 Core uses to limit the number of incorrect backend logins.
Tip
The state of a rate limit for a restriction combination is currently stored
in the var/ folder. This folder should be shared between
releases in deployment workflows accordingly.
To clean up the files and free disk storage a command is available.
Let's start with an example:
finishers:
- identifier: RateLimit
options:
policy: 'sliding_window'
interval: '1 hour'
limit: 2
restrictions:
- '__ipAddress'
- '__formIdentifier'
- '{email}'
template: 'EXT:my_extension/Resources/Private/Templates/Form/RateLimitExceeded.html'
# other finishers followThe example uses the "sliding window" policy. This form can be submitted successfully twice within one hour from the same IP address with the same provided email address. Additionally, a custom template for the error message is assigned.
Attention
The
Rate finisher should be the first finisher in line.
The form finisher ships with default options. If they are suitable for your needs, you can omit them in your form definition. The default values can be found in the following list.
string
1 hour
The interval for the policy used. Since the interval is later passed to the DateInterval object, any possible value understood by that object is possible, for example:
2 hours
10 minutes
1 day
1 hour 30 minutes
90 minutes
PT3600S (3600 seconds)int
1
The limit to which the form can be submitted with the provided restrictions within the specified interval.
string
sliding_
Two policies are currently available:
fixed_window This is the simplest technique and it is based on setting a limit for a given interval of time (for instance, 5 submits per hour).
See Fixed Window Rate Limiter for details.
sliding_window This is similar to the fixed window rate limiter, but then using a 1 hour window that slides over the timeline.
See: Sliding Window Rate Limiter for details.
The "token_bucket" policy is currently not supported.
array
['__
The restrictions for limiting the submission of a form. The default value combines the IP address and the form identifier.
The possible values can be combined at will:
__ipAddress
__formIdentifier The form identifier is taken into account. This is a combination of the identifier in the form definition and the content element ID.
In connection mode the content element ID is the same for each language. In free mode the content element ID is different for each language.
{someFormField} Every form field can be used to add an additional restriction. The field identifier must be surrounded by curly brackets.
For example, if you want to limit the submission to the given email
address, this field can be added to the restriction list as
{email} if the identifier of the email address field is named
email.
someCustomValue Examples:
Limit by the form and an email address (available as "email" field):
restrictions:
- '__formIdentifier'
- '{email}'Limit by a custom value and some of the defined fields. This may be helpful when you have the form multiple times on the website:
restrictions:
- 'our-weekend-raffle'
- '{name}'
- '{address}'
- '{zip}'
- '{city}'string
EXT:
The extension provides a Fluid template that is used when the rate limit
is exceeded. You can (and usually want) to customise it to your needs. The
template option gives you the possibility to assign a custom template
to a finisher. Some variables in the template are available:
Target group: Developers
Have a look into the event dispatcher documentation, if you are not familiar with PSR-14 events.
This event is dispatched when the rate limit for a form has been exceeded. This way you can create an event listener which notifies you about the exceeded limit: add a log entry, send an email, inform a third-party system, etc.
The event
\Brotkrueml\
provides the following methods:
->getFormIdentifier(): string
->getInterval(): string
->getLimit(): int
->getPolicy(): string
->getRequest(): \Psr\Http\Message\ServerRequestInterface This example adds an entry to the TYPO3 log:
<?php
declare(strict_types=1);
/*
* This file is part of the "form_rate_limit" extension for TYPO3 CMS.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*/
namespace YourVendor\YourExtension\EventListener;
use Brotkrueml\FormRateLimit\Event\RateLimitExceededEvent;
use Psr\Log\LoggerInterface;
use TYPO3\CMS\Core\Attribute\AsEventListener;
#[AsEventListener(
identifier: 'your-extension/form-rate-limit-exceeded-logger',
)]
final readonly class FormRateLimitExceededLogger
{
public function __construct(
private LoggerInterface $logger,
) {}
public function __invoke(RateLimitExceededEvent $event): void
{
$this->logger->warning(
'The form with identifier "{formIdentifier}" was sent more than {limit} times within {interval}',
[
'formIdentifier' => $event->getFormIdentifier(),
'limit' => $event->getLimit(),
'interval' => $event->getInterval(),
],
);
}
}
Target group: Administrators
The states of the rate limiter is stored in the var/
folder. To clean up this folder with expired states, a command is available. You
can call it on the console with:
vendor/bin/typo3 formratelimit:cleanupexpiredstorageentriestypo3/sysext/core/bin/typo3 formratelimit:cleanupexpiredstorageentriesTo run the command regularly you can add a cron job or run it from the TYPO3 scheduler.
The finisher preset identified by "RateLimit" could not be found, or the implementationClassName was not specified.:
Please include the TypoScript configuration shipped with this extension.
Tried resolving a template file for controller action "Standard->index" in format ".html", but none of the paths contained the expected template file (...). No paths configured.
The assigned template to the finisher is not available. Please check the path and filename.
All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Initial release