What is express-rate-limit?
The express-rate-limit npm package is a middleware for Express applications that enables rate limiting to prevent abuse by restricting the number of requests a client can make in a given time frame. It is useful for preventing brute force attacks, DDoS attacks, and to generally control the traffic to an API or web application.
What are express-rate-limit's main functionalities?
Basic rate-limiting
This feature sets up basic rate-limiting on an Express application, limiting clients to a specified number of requests within a time frame.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
// Apply to all requests
app.use(limiter);
Custom message
This feature allows customization of the message sent back to the client when the rate limit is exceeded.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
message: 'Too many requests, please try again later.'
});
app.use(limiter);
Skip certain requests
This feature allows some requests to bypass the rate limit, based on a condition such as a specific IP address.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
skip: function (req, res) {
return req.ip === '123.123.123.123';
}
});
app.use(limiter);
Customize response headers
This feature enables sending HTTP headers to the client with information about their current rate limit status.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
headers: true
});
app.use(limiter);
Other packages similar to express-rate-limit
ratelimiter
The 'ratelimiter' package is similar to 'express-rate-limit' but uses Redis for storing rate limit data, which makes it suitable for distributed applications. It is more complex to set up due to the dependency on Redis.
express-brute
The 'express-brute' package provides rate limiting with a focus on preventing brute-force attacks. It offers more customization options for handling lockouts and has a pluggable store system, which can be more flexible than 'express-rate-limit'.
express-slow-down
The 'express-slow-down' package is similar to 'express-rate-limit' but instead of blocking requests after a limit is reached, it slows down the response times. It's useful for slowing down repeated requests rather than completely blocking them.
Basic rate-limiting middleware for Express. Use to limit access to public endpoints such as account creation and password reset.
Note: this module does not share state with other processes/servers, so if you need a more robust solution, I recommend checking out the excellent strict-rate-limiter
Install
$ npm install --save express-rate-limit
Usage
var RateLimit = require('express-rate-limit');
app.enable('trust proxy');
var limiter = RateLimit({
windowMs: 60 * 1000
delayMs: 1000,
max: 5,
global: false
});
app.use(limiter);
app.post('/create-account', limiter, function(req, res) {
}
You could apply this globally on a regular website, but be aware that it would then trigger on images, css, etc. So I wouldn't recommend it.
License
MIT © Nathan Friedly