express-rate-limit - npm Package Compare versions

Comparing version 1.0.3 to 1.1.0

lib/express-rate-limit.js

		@@ -12,3 +12,4 @@ 'use strict';
		// window, delay, and max apply per-ip unless global is set to true
		windowMs: 60 * 1000, // miliseconds - how long to keep records of requests in memory
		windowMs: 60 * 1000, // milliseconds - how long to keep records of requests in memory
		delayAfter: 1, // how many requests to allow through before starting to delay responses
		delayMs: 1000, // milliseconds - base delay applied to the response - multiplied by number of recent hits from user's IP
		@@ -38,3 +39,3 @@ max: 5, // max number of recent connections during `window` miliseconds before sending a 400 response

		if (hits[ip] > options.max) {
		if (options.max && hits[ip] > options.max) {
		// 429 status = Too Many Requests (RFC 6585)
		@@ -44,5 +45,8 @@ return res.status(429).end(options.message);

		// first hit shouldn't be delayed, so subtract 1
		var delay = (hits[ip]-1) * options.delayMs;
		setTimeout(next, delay);
		if (options.delayAfter && options.delayMs && hits[ip] > options.delayAfter) {
		var delay = (hits[ip] - options.delayAfter) * options.delayMs;
		setTimeout(next, delay);
		} else {
		next();
		}
		};
		@@ -49,0 +53,0 @@ }

package.json

		{
		"name": "express-rate-limit",
		"version": "1.0.3",
		"version": "1.1.0",
		"description": "Basic rate-limiting middleware for Express. Use to limit access to public endpoints such as account creation and password reset.",
		@@ -28,15 +28,16 @@ "homepage": "https://github.com/nfriedly/express-rate-limit",
		"dependencies": {
		"defaults": "^1.0.0"
		"defaults": "^1.0.2"
		},
		"devDependencies": {
		"express": "^4.10.4",
		"express": "^4.13.1",
		"grunt-cli": "^0.1.13",
		"grunt-contrib-jshint": "^0.10.0",
		"grunt-contrib-jshint": "^0.11.2",
		"grunt-contrib-nodeunit": "^0.4.1",
		"grunt-contrib-watch": "^0.6.1",
		"grunt-mocha-cli": "^1.11.0",
		"jshint-stylish": "^1.0.0",
		"load-grunt-tasks": "^1.0.0",
		"supertest": "^0.15.0",
		"time-grunt": "^1.0.0"
		"grunt-mocha-cli": "^1.14.0",
		"jshint-stylish": "^2.0.1",
		"load-grunt-tasks": "^3.2.0",
		"sinon": "^1.16.1",
		"supertest": "^1.0.1",
		"time-grunt": "^1.2.1"
		},
		@@ -43,0 +44,0 @@ "scripts": {

README.md

		@@ -8,5 +8,6 @@ # Express Rate Limit

		Basic rate-limiting middleware for Express. Use to limit access to public endpoints such as account creation and password reset.
		Basic rate-limiting middleware for Express. Use to limit repeated requests to public endpoints such as account creation and password reset.

		Note: this module does not share state with other processes/servers, so if you need a more robust solution, I recommend checking out the excellent [strict-rate-limiter](https://www.npmjs.com/package/strict-rate-limiter)
		Note: this module does not share state with other processes/servers.
		If you need a more robust solution, I recommend checking out the excellent [strict-rate-limiter](https://www.npmjs.com/package/strict-rate-limiter)

		@@ -20,3 +21,15 @@

		## Configuration

		* windowMs: milliseconds - how long to keep records of requests in memory. Defaults to 60,000 (1 minute).
		* delayAfter: max number of connections during `windowMs` before starting to delay responses. Defaults to 1. Set to 0 to disable entirely.
		* delayMs: milliseconds - how long to delay the response; is multiplied by number of recent hits - `delayAfter`. Defaults to 1,000 (1 second). Set to 0 to disable entirely.
		* max: max number of recent connections during `windowMs` milliseconds before sending a 400 response. Defaults to 5. Set to 0 to disable entirely.
		* global: If true, IP address is ignored and a single global hit counter is used. Defaults to false.
		* message: Error message returned when `max` is exceeded. Defaults to 'Too many requests, please try again later.'


		The `delayAfter` and `delayMs` options were written for human-facing pages such as login and password reset forms.
		For public APIs, setting these to `0` (disabled) and relying on only `windowMs` and `max` for rate-limiting usually makes the most sense.

		## Usage
		@@ -31,8 +44,8 @@
		var limiter = RateLimit({
		// window, delay, and max apply per-ip unless global is set to true
		windowMs: 60 * 1000, // miliseconds - how long to keep records of requests in memory
		delayMs: 1000, // milliseconds - base delay applied to the response - multiplied by number of recent hits from user's IP
		max: 5, // max number of recent connections during `window` miliseconds before (temporarily) bocking the user.
		global: false, // if true, IP address is ignored and setting is applied equally to all requests
		message: 'You have been very naughty.. No API response for you!!' // if message is set, the provide message will be shown instead of `Too many requests, please try again later.`
		windowMs: 60 * 1000,
		delayAfter: 1,
		delayMs: 1000,
		max: 5,
		global: false,
		message: 'Too many requests, please try again later.'
		});
		@@ -44,2 +57,3 @@
		// for a "regular" website, apply this only to specific endpoints
		// (this includes Single Page Apps if you serve the assets with express.static())
		app.post('/create-account', limiter, function(req, res) {
		@@ -50,6 +64,7 @@ // ...

		You could apply this globally on a regular website, but be aware that it would then trigger on images, css, etc. So I wouldn't recommend it.
		You could apply this globally (`app.use(limiter);`) on a regular website, but be aware that it would then trigger on images, css, etc. So I wouldn't recommend it.


		## License

		MIT © [Nathan Friedly](http://nfriedly.com/)

express-rate-limit - npm Package Compare versions

New alerts

Fixed alerts

Improved metrics

Worsened metrics

Dependency changes