diff --git a/src/RateLimiter/Counter.php b/src/RateLimiter/Counter.php
new file mode 100644
index 000000000..753b36260
--- /dev/null
+++ b/src/RateLimiter/Counter.php
@@ -0,0 +1,154 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Yiisoft\Yii\Web\RateLimiter;
+
+use Psr\SimpleCache\CacheInterface;
+
+/**
+ * Counter implements generic сell rate limit algorithm (GCRA) that ensures that after reaching the limit futher
+ * increments are distributed equally.
+ *
+ * @link https://en.wikipedia.org/wiki/Generic_cell_rate_algorithm
+ */
+final class Counter implements CounterInterface
+{
+    private const DEFAULT_TTL = 86400;
+
+    private const ID_PREFIX = 'rate-limiter-';
+
+    private const MILLISECONDS_PER_SECOND = 1000;
+
+    /**
+     * @var int period to apply limit to, in milliseconds
+     */
+    private int $period;
+
+    private int $limit;
+
+    /**
+     * @var float maximum interval before next increment, in milliseconds
+     * In GCRA it is known as emission interval.
+     */
+    private float $incrementInterval;
+
+    private ?string $id = null;
+
+    private CacheInterface $storage;
+
+    private int $ttl = self::DEFAULT_TTL;
+
+    /**
+     * @var int last increment time
+     * In GCRA it's known as arrival time
+     */
+    private int $lastIncrementTime;
+
+    /**
+     * @param int $limit maximum number of increments that could be performed before increments are limited
+     * @param int $period period to apply limit to, in seconds
+     * @param CacheInterface $storage
+     */
+    public function __construct(int $limit, int $period, CacheInterface $storage)
+    {
+        if ($limit < 1) {
+            throw new \InvalidArgumentException('The limit must be a positive value.');
+        }
+
+        if ($period < 1) {
+            throw new \InvalidArgumentException('The period must be a positive value.');
+        }
+
+        $this->limit = $limit;
+        $this->period = $period * self::MILLISECONDS_PER_SECOND;
+        $this->storage = $storage;
+
+        $this->incrementInterval = (float)($this->period / $this->limit);
+    }
+
+    public function setId(string $id): void
+    {
+        $this->id = $id;
+    }
+
+    /**
+     * @param int $ttl cache TTL that is used to store counter values
+     * Default is one day.
+     * Note that period can not exceed TTL.
+     */
+    public function setTtl(int $ttl): void
+    {
+        $this->ttl = $ttl;
+    }
+
+    public function getCacheKey(): string
+    {
+        return self::ID_PREFIX . $this->id;
+    }
+
+    public function incrementAndGetState(): CounterState
+    {
+        if ($this->id === null) {
+            throw new \LogicException('The counter ID should be set');
+        }
+
+        $this->lastIncrementTime = $this->getCurrentTime();
+        $theoreticalNextIncrementTime = $this->calculateTheoreticalNextIncrementTime(
+            $this->getLastStoredTheoreticalNextIncrementTime()
+        );
+        $remaining = $this->calculateRemaining($theoreticalNextIncrementTime);
+        $resetAfter = $this->calculateResetAfter($theoreticalNextIncrementTime);
+
+        if ($remaining >= 1) {
+            $this->storeTheoreticalNextIncrementTime($theoreticalNextIncrementTime);
+        }
+
+        return new CounterState($this->limit, $remaining, $resetAfter);
+    }
+
+    /**
+     * @param float $storedTheoreticalNextIncrementTime
+     * @return float theoretical increment time that would be expected from equally spaced increments at exactly rate limit
+     * In GCRA it is known as TAT, theoretical arrival time.
+     */
+    private function calculateTheoreticalNextIncrementTime(float $storedTheoreticalNextIncrementTime): float
+    {
+        return max($this->lastIncrementTime, $storedTheoreticalNextIncrementTime) + $this->incrementInterval;
+    }
+
+    /**
+     * @param float $theoreticalNextIncrementTime
+     * @return int the number of remaining requests in the current time period
+     */
+    private function calculateRemaining(float $theoreticalNextIncrementTime): int
+    {
+        $incrementAllowedAt = $theoreticalNextIncrementTime - $this->period;
+
+        return (int)(round($this->lastIncrementTime - $incrementAllowedAt) / $this->incrementInterval);
+    }
+
+    private function getLastStoredTheoreticalNextIncrementTime(): float
+    {
+        return $this->storage->get($this->getCacheKey(), (float)$this->lastIncrementTime);
+    }
+
+    private function storeTheoreticalNextIncrementTime(float $theoreticalNextIncrementTime): void
+    {
+        $this->storage->set($this->getCacheKey(), $theoreticalNextIncrementTime, $this->ttl);
+    }
+
+    /**
+     * @param float $theoreticalNextIncrementTime
+     * @return int timestamp to wait until the rate limit resets
+     */
+    private function calculateResetAfter(float $theoreticalNextIncrementTime): int
+    {
+        return (int)($theoreticalNextIncrementTime / self::MILLISECONDS_PER_SECOND);
+    }
+
+    private function getCurrentTime(): int
+    {
+        return (int)round(microtime(true) * self::MILLISECONDS_PER_SECOND);
+    }
+}
diff --git a/src/RateLimiter/CounterInterface.php b/src/RateLimiter/CounterInterface.php
new file mode 100644
index 000000000..a7b01c697
--- /dev/null
+++ b/src/RateLimiter/CounterInterface.php
@@ -0,0 +1,23 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Yiisoft\Yii\Web\RateLimiter;
+
+/**
+ * CounterInterface describes rate limiter counter
+ */
+interface CounterInterface
+{
+    /**
+     * @param string $id set counter ID
+     * Counters with non-equal IDs are counted separately.
+     */
+    public function setId(string $id): void;
+
+    /**
+     * Counts one request as done and returns object containing current counter state
+     * @return CounterState
+     */
+    public function incrementAndGetState(): CounterState;
+}
diff --git a/src/RateLimiter/CounterState.php b/src/RateLimiter/CounterState.php
new file mode 100644
index 000000000..421bad798
--- /dev/null
+++ b/src/RateLimiter/CounterState.php
@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Yiisoft\Yii\Web\RateLimiter;
+
+/**
+ * Rate limiter counter statistics
+ */
+final class CounterState
+{
+    private int $limit;
+    private int $remaining;
+    private int $reset;
+
+    /**
+     * @param int $limit the maximum number of requests allowed with a time period
+     * @param int $remaining the number of remaining requests in the current time period
+     * @param int $reset timestamp to wait until the rate limit resets
+     */
+    public function __construct(int $limit, int $remaining, int $reset)
+    {
+        $this->limit = $limit;
+        $this->remaining = $remaining;
+        $this->reset = $reset;
+    }
+
+    /**
+     * @return int the maximum number of requests allowed with a time period
+     */
+    public function getLimit(): int
+    {
+        return $this->limit;
+    }
+
+    /**
+     * @return int the number of remaining requests in the current time period
+     */
+    public function getRemaining(): int
+    {
+        return $this->remaining;
+    }
+
+    /**
+     * @return int timestamp to wait until the rate limit resets
+     */
+    public function getResetTime(): int
+    {
+        return $this->reset;
+    }
+
+    /**
+     * @return bool if requests limit is reached
+     */
+    public function isLimitReached(): bool
+    {
+        return $this->remaining === 0;
+    }
+}
diff --git a/src/RateLimiter/RateLimiterMiddleware.php b/src/RateLimiter/RateLimiterMiddleware.php
new file mode 100644
index 000000000..5778dead7
--- /dev/null
+++ b/src/RateLimiter/RateLimiterMiddleware.php
@@ -0,0 +1,99 @@
+<?php
+
+declare(strict_types=1);
+
+namespace Yiisoft\Yii\Web\RateLimiter;
+
+use Psr\Http\Message\ResponseFactoryInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Yiisoft\Http\Status;
+
+/**
+ * RateLimiter helps to prevent abuse by limiting the number of requests that could be me made consequentially.
+ *
+ * For example, you may want to limit the API usage of each user to be at most 100 API calls within a period of 10 minutes.
+ * If too many requests are received from a user within the stated period of the time, a response with status code 429
+ * (meaning "Too Many Requests") should be returned.
+ */
+final class RateLimiterMiddleware implements MiddlewareInterface
+{
+    private CounterInterface $counter;
+
+    private ResponseFactoryInterface $responseFactory;
+
+    private string $counterId;
+
+    /**
+     * @var callable
+     */
+    private $counterIdCallback;
+
+    public function __construct(CounterInterface $counter, ResponseFactoryInterface $responseFactory)
+    {
+        $this->counter = $counter;
+        $this->responseFactory = $responseFactory;
+    }
+
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $this->counter->setId($this->generateId($request));
+        $result = $this->counter->incrementAndGetState();
+
+        if ($result->isLimitReached()) {
+            $response = $this->createErrorResponse();
+        } else {
+            $response = $handler->handle($request);
+        }
+
+        return $this->addHeaders($response, $result);
+    }
+
+    public function withCounterIdCallback(?callable $callback): self
+    {
+        $new = clone $this;
+        $new->counterIdCallback = $callback;
+
+        return $new;
+    }
+
+    public function withCounterId(string $id): self
+    {
+        $new = clone $this;
+        $new->counterId = $id;
+
+        return $new;
+    }
+
+    private function createErrorResponse(): ResponseInterface
+    {
+        $response = $this->responseFactory->createResponse(Status::TOO_MANY_REQUESTS);
+        $response->getBody()->write(Status::TEXTS[Status::TOO_MANY_REQUESTS]);
+
+        return $response;
+    }
+
+    private function generateId(ServerRequestInterface $request): string
+    {
+        if ($this->counterIdCallback !== null) {
+            return \call_user_func($this->counterIdCallback, $request);
+        }
+
+        return $this->counterId ?? $this->generateIdFromRequest($request);
+    }
+
+    private function generateIdFromRequest(ServerRequestInterface $request): string
+    {
+        return strtolower($request->getMethod() . '-' . $request->getUri()->getPath());
+    }
+
+    private function addHeaders(ResponseInterface $response, CounterState $result): ResponseInterface
+    {
+        return $response
+            ->withHeader('X-Rate-Limit-Limit', $result->getLimit())
+            ->withHeader('X-Rate-Limit-Remaining', $result->getRemaining())
+            ->withHeader('X-Rate-Limit-Reset', $result->getResetTime());
+    }
+}
diff --git a/tests/RateLimiter/CounterTest.php b/tests/RateLimiter/CounterTest.php
new file mode 100644
index 000000000..e605f6d35
--- /dev/null
+++ b/tests/RateLimiter/CounterTest.php
@@ -0,0 +1,93 @@
+<?php
+
+namespace Yiisoft\Yii\Web\Tests\RateLimiter;
+
+use InvalidArgumentException;
+use PHPUnit\Framework\TestCase;
+use Yiisoft\Cache\ArrayCache;
+use Yiisoft\Yii\Web\RateLimiter\Counter;
+
+final class CounterTest extends TestCase
+{
+    /**
+     * @test
+     */
+    public function statisticsShouldBeCorrectWhenLimitIsNotReached(): void
+    {
+        $counter = new Counter(2, 5, new ArrayCache());
+        $counter->setId('key');
+
+        $statistics = $counter->incrementAndGetState();
+        $this->assertEquals(2, $statistics->getLimit());
+        $this->assertEquals(1, $statistics->getRemaining());
+        $this->assertGreaterThanOrEqual(time(), $statistics->getResetTime());
+        $this->assertFalse($statistics->isLimitReached());
+    }
+
+    /**
+     * @test
+     */
+    public function statisticsShouldBeCorrectWhenLimitIsReached(): void
+    {
+        $counter = new Counter(2, 4, new ArrayCache());
+        $counter->setId('key');
+
+        $statistics = $counter->incrementAndGetState();
+        $this->assertEquals(2, $statistics->getLimit());
+        $this->assertEquals(1, $statistics->getRemaining());
+        $this->assertGreaterThanOrEqual(time(), $statistics->getResetTime());
+        $this->assertFalse($statistics->isLimitReached());
+
+        $statistics = $counter->incrementAndGetState();
+        $this->assertEquals(2, $statistics->getLimit());
+        $this->assertEquals(0, $statistics->getRemaining());
+        $this->assertGreaterThanOrEqual(time(), $statistics->getResetTime());
+        $this->assertTrue($statistics->isLimitReached());
+    }
+
+    /**
+     * @test
+     */
+    public function shouldNotBeAbleToSetInvalidId(): void
+    {
+        $this->expectException(\LogicException::class);
+        (new Counter(10, 60, new ArrayCache()))->incrementAndGetState();
+    }
+
+    /**
+     * @test
+     */
+    public function shouldNotBeAbleToSetInvalidLimit(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Counter(0, 60, new ArrayCache());
+    }
+
+    /**
+     * @test
+     */
+    public function shouldNotBeAbleToSetInvalidPeriod(): void
+    {
+        $this->expectException(InvalidArgumentException::class);
+        new Counter(10, 0, new ArrayCache());
+    }
+
+    /**
+     * @test
+     */
+    public function incrementMustBeUniformAfterLimitIsReached(): void
+    {
+        $counter = new Counter(10, 1, new ArrayCache());
+        $counter->setId('key');
+
+        for ($i = 0; $i < 10; $i++) {
+            $counter->incrementAndGetState();
+        }
+
+        for ($i = 0; $i < 5; $i++) {
+            usleep(110000); // period(microseconds) / limit + 10ms(cost work)
+            $statistics = $counter->incrementAndGetState();
+            $this->assertEquals(1, $statistics->getRemaining());
+        }
+    }
+}
diff --git a/tests/RateLimiter/FakeCounter.php b/tests/RateLimiter/FakeCounter.php
new file mode 100644
index 000000000..60959df9e
--- /dev/null
+++ b/tests/RateLimiter/FakeCounter.php
@@ -0,0 +1,37 @@
+<?php
+
+namespace Yiisoft\Yii\Web\Tests\RateLimiter;
+
+use Yiisoft\Yii\Web\RateLimiter\CounterInterface;
+use Yiisoft\Yii\Web\RateLimiter\CounterState;
+
+final class FakeCounter implements CounterInterface
+{
+    private int $remaining;
+    private int $limit;
+    private int $reset;
+    private string $id;
+
+    public function __construct(int $limit, int $reset)
+    {
+        $this->reset = $reset;
+        $this->limit = $limit;
+        $this->remaining = $limit;
+    }
+
+    public function setId(string $id): void
+    {
+        $this->id = $id;
+    }
+
+    public function getId(): ?string
+    {
+        return $this->id;
+    }
+
+    public function incrementAndGetState(): CounterState
+    {
+        $this->remaining--;
+        return new CounterState($this->limit, $this->remaining, $this->reset);
+    }
+}
diff --git a/tests/RateLimiter/RateLimiterMiddlewareTest.php b/tests/RateLimiter/RateLimiterMiddlewareTest.php
new file mode 100644
index 000000000..0c6d7b170
--- /dev/null
+++ b/tests/RateLimiter/RateLimiterMiddlewareTest.php
@@ -0,0 +1,116 @@
+<?php
+
+namespace Yiisoft\Yii\Web\Tests\RateLimiter;
+
+use Nyholm\Psr7\Factory\Psr17Factory;
+use Nyholm\Psr7\Response;
+use Nyholm\Psr7\ServerRequest;
+use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Yiisoft\Http\Method;
+use Yiisoft\Yii\Web\RateLimiter\CounterInterface;
+use Yiisoft\Yii\Web\RateLimiter\RateLimiterMiddleware;
+
+final class RateLimiterMiddlewareTest extends TestCase
+{
+    /**
+     * @test
+     */
+    public function singleRequestWorksAsExpected(): void
+    {
+        $counter = new FakeCounter(100, 100);
+        $response = $this->createRateLimiter($counter)->process($this->createRequest(), $this->createRequestHandler());
+        $this->assertEquals(200, $response->getStatusCode());
+
+        $this->assertEquals(
+            [
+                'X-Rate-Limit-Limit' => ['100'],
+                'X-Rate-Limit-Remaining' => ['99'],
+                'X-Rate-Limit-Reset' => ['100'],
+            ],
+            $response->getHeaders()
+        );
+    }
+
+    /**
+     * @test
+     */
+    public function limitingIsStartedWhenExpected(): void
+    {
+        $counter = new FakeCounter(2, 100);
+        $middleware = $this->createRateLimiter($counter);
+
+        // last allowed request
+        $response = $middleware->process($this->createRequest(), $this->createRequestHandler());
+        $this->assertEquals(200, $response->getStatusCode());
+        $this->assertEquals(
+            [
+                'X-Rate-Limit-Limit' => ['2'],
+                'X-Rate-Limit-Remaining' => ['1'],
+                'X-Rate-Limit-Reset' => ['100'],
+            ],
+            $response->getHeaders()
+        );
+
+        // first denied request
+        $response = $middleware->process($this->createRequest(), $this->createRequestHandler());
+        $this->assertEquals(429, $response->getStatusCode());
+        $this->assertEquals(
+            [
+                'X-Rate-Limit-Limit' => ['2'],
+                'X-Rate-Limit-Remaining' => ['0'],
+                'X-Rate-Limit-Reset' => ['100'],
+            ],
+            $response->getHeaders()
+        );
+    }
+
+    /**
+     * @test
+     */
+    public function counterIdCouldBeSet(): void
+    {
+        $counter = new FakeCounter(100, 100);
+        $middleware = $this->createRateLimiter($counter)->withCounterId('custom-id');
+        $middleware->process($this->createRequest(), $this->createRequestHandler());
+        $this->assertEquals('custom-id', $counter->getId());
+    }
+
+    /**
+     * @test
+     */
+    public function counterIdCouldBeSetWithCallback(): void
+    {
+        $counter = new FakeCounter(100, 100);
+        $middleware = $this->createRateLimiter($counter)->withCounterIdCallback(
+            static function (ServerRequestInterface $request) {
+                return $request->getMethod();
+            }
+        );
+
+        $middleware->process($this->createRequest(), $this->createRequestHandler());
+        $this->assertEquals('GET', $counter->getId());
+    }
+
+    private function createRequestHandler(): RequestHandlerInterface
+    {
+        return new class implements RequestHandlerInterface {
+            public function handle(ServerRequestInterface $request): ResponseInterface
+            {
+                return new Response(200);
+            }
+        };
+    }
+
+    private function createRequest(string $method = Method::GET, string $uri = '/'): ServerRequestInterface
+    {
+        return new ServerRequest($method, $uri);
+    }
+
+    private function createRateLimiter(CounterInterface $counter): RateLimiterMiddleware
+    {
+        return new RateLimiterMiddleware($counter, new Psr17Factory());
+    }
+}