What is express-rate-limit?
The express-rate-limit npm package is a middleware for Express applications that enables rate limiting to prevent abuse by restricting the number of requests a client can make in a given time frame. It is useful for preventing brute force attacks, DDoS attacks, and to generally control the traffic to an API or web application.
What are express-rate-limit's main functionalities?
Basic rate-limiting
This feature sets up basic rate-limiting on an Express application, limiting clients to a specified number of requests within a time frame.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
// Apply to all requests
app.use(limiter);
Custom message
This feature allows customization of the message sent back to the client when the rate limit is exceeded.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
message: 'Too many requests, please try again later.'
});
app.use(limiter);
Skip certain requests
This feature allows some requests to bypass the rate limit, based on a condition such as a specific IP address.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
skip: function (req, res) {
return req.ip === '123.123.123.123';
}
});
app.use(limiter);
Customize response headers
This feature enables sending HTTP headers to the client with information about their current rate limit status.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
headers: true
});
app.use(limiter);
Other packages similar to express-rate-limit
ratelimiter
The 'ratelimiter' package is similar to 'express-rate-limit' but uses Redis for storing rate limit data, which makes it suitable for distributed applications. It is more complex to set up due to the dependency on Redis.
express-brute
The 'express-brute' package provides rate limiting with a focus on preventing brute-force attacks. It offers more customization options for handling lockouts and has a pluggable store system, which can be more flexible than 'express-rate-limit'.
express-slow-down
The 'express-slow-down' package is similar to 'express-rate-limit' but instead of blocking requests after a limit is reached, it slows down the response times. It's useful for slowing down repeated requests rather than completely blocking them.
Express Rate Limit
Basic rate-limiting middleware for Express. Use to limit repeated requests to public endpoints such as account creation and password reset.
Note: this module does not share state with other processes/servers.
If you need a more robust solution, I recommend checking out the excellent strict-rate-limiter
Install
$ npm install --save express-rate-limit
Configuration
- windowMs: milliseconds - how long to keep records of requests in memory. Defaults to
60000
(1 minute). - delayAfter: max number of connections during
windowMs
before starting to delay responses. Defaults to 1
. Set to 0
to disable delaying. - delayMs: milliseconds - how long to delay the response, multiplied by (number of recent hits -
delayAfter
). Defaults to 1000
(1 second). Set to 0
to disable delaying. - max: max number of connections during
windowMs
milliseconds before sending a 429 response. Defaults to 5
. Set to 0
to disable. - message: Error message returned when
max
is exceeded. Defaults to 'Too many requests, please try again later.'
- statusCode: HTTP status code returned when
max
is exceeded. Defaults to 429
.
The delayAfter
and delayMs
options were written for human-facing pages such as login and password reset forms.
For public APIs, setting these to 0
(disabled) and relying on only windowMs
and max
for rate-limiting usually makes the most sense.
Usage
For an API-only server where the rate-limiter should be applied to all requests:
var rateLimit = require('express-rate-limit');
app.enable('trust proxy');
var limiter = rateLimit({});
app.use(limiter);
For a "regular" web server (e.g. anything that uses express.static()
), where the rate-limiter should only apply to certain requests:
var rateLimit = require('express-rate-limit');
app.enable('trust proxy');
var limiter = rateLimit({});
app.use('/api/', limiter);
app.post('/create-account', limiter, function(req, res) {
}
var limiter2 = rateLimit({);
app.post('/reset-rate-limit', limiter2, function(req, res) {
limiter.resetIp(req.ip);
}
Instance API
- resetIp(ip): Resets the rate limiting for a given ip.
v2 changes
v2 uses a less precise but less resource intensive method of tracking hits from a given IP. v2 also adds the limiter.resetIp()
API and removes the global: true
option.
License
MIT © Nathan Friedly