What is express-rate-limit?
The express-rate-limit npm package is a middleware for Express applications that enables rate limiting to prevent abuse by restricting the number of requests a client can make in a given time frame. It is useful for preventing brute force attacks, DDoS attacks, and to generally control the traffic to an API or web application.
What are express-rate-limit's main functionalities?
Basic rate-limiting
This feature sets up basic rate-limiting on an Express application, limiting clients to a specified number of requests within a time frame.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
// Apply to all requests
app.use(limiter);
Custom message
This feature allows customization of the message sent back to the client when the rate limit is exceeded.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
message: 'Too many requests, please try again later.'
});
app.use(limiter);
Skip certain requests
This feature allows some requests to bypass the rate limit, based on a condition such as a specific IP address.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
skip: function (req, res) {
return req.ip === '123.123.123.123';
}
});
app.use(limiter);
Customize response headers
This feature enables sending HTTP headers to the client with information about their current rate limit status.
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
max: 100,
headers: true
});
app.use(limiter);
Other packages similar to express-rate-limit
ratelimiter
The 'ratelimiter' package is similar to 'express-rate-limit' but uses Redis for storing rate limit data, which makes it suitable for distributed applications. It is more complex to set up due to the dependency on Redis.
express-brute
The 'express-brute' package provides rate limiting with a focus on preventing brute-force attacks. It offers more customization options for handling lockouts and has a pluggable store system, which can be more flexible than 'express-rate-limit'.
express-slow-down
The 'express-slow-down' package is similar to 'express-rate-limit' but instead of blocking requests after a limit is reached, it slows down the response times. It's useful for slowing down repeated requests rather than completely blocking them.
express-rate-limit
Basic rate-limiting middleware for Express. Use to
limit repeated requests to public APIs and/or endpoints such as password reset.
Plays nice with
express-slow-down and
ratelimit-header-parser.
Usage
The full documentation is
available on-line.
import { rateLimit } from 'express-rate-limit'
const limiter = rateLimit({
windowMs: 15 * 60 * 1000,
limit: 100,
standardHeaders: 'draft-7',
legacyHeaders: false,
})
app.use(limiter)
Data Stores
The rate limiter comes with a built-in memory store, and supports a variety of
external data stores.
Configuration
All function options may be async. Click the name for additional info and
default values.
Option | Type | Remarks |
---|
windowMs | number | How long to remember requests for, in milliseconds. |
limit | number | function | How many requests to allow. |
message | string | json | function | Response to return after limit is reached. |
statusCode | number | HTTP status code after limit is reached (default is 429). |
legacyHeaders | boolean | Enable the X-Rate-Limit header. |
standardHeaders | 'draft-6' | 'draft-7' | Enable the Ratelimit header. |
requestPropertyName | string | Add rate limit info to the req object. |
skipFailedRequests | boolean | Uncount 4xx/5xx responses. |
skipSuccessfulRequests | boolean | Uncount 1xx/2xx/3xx responses. |
keyGenerator | function | Identify users (defaults to IP address). |
handler | function | Function to run after limit is reached (overrides message and statusCode settings, if set). |
skip | function | Return true to bypass the limiter for the given request. |
requestWasSuccessful | function | Used by skipFailedRequests and skipSuccessfulRequests . |
validate | boolean | object | Enable or disable built-in validation checks. |
store | Store | Use a custom store to share hit counts across multiple nodes. |
Thank You
Sponsored by Zuplo a fully-managed API
Gateway for developers. Add
dynamic rate-limiting,
authentication and more to any API in minutes. Learn more at
zuplo.com
Thanks to Mintlify for hosting the documentation at
express-rate-limit.mintlify.app
Finally, thank you to everyone who's contributed to this project in any way! 🫶
Issues and Contributing
If you encounter a bug or want to see something added/changed, please go ahead
and
open an issue!
If you need help with something, feel free to
start a discussion!
If you wish to contribute to the library, thanks! First, please read
the contributing guide.
Then you can pick up any issue and fix/implement it!
License
MIT © Nathan Friedly,
Vedant K