express-rate-limit

What is express-rate-limit?

The express-rate-limit npm package is a middleware for Express applications that enables rate limiting to prevent abuse by restricting the number of requests a client can make in a given time frame. It is useful for preventing brute force attacks, DDoS attacks, and to generally control the traffic to an API or web application.

What are express-rate-limit's main functionalities?

Basic rate-limiting

This feature sets up basic rate-limiting on an Express application, limiting clients to a specified number of requests within a time frame.

const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100 // limit each IP to 100 requests per windowMs
});

// Apply to all requests
app.use(limiter);

Custom message

This feature allows customization of the message sent back to the client when the rate limit is exceeded.

const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  message: 'Too many requests, please try again later.'
});

app.use(limiter);

Skip certain requests

This feature allows some requests to bypass the rate limit, based on a condition such as a specific IP address.

const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  skip: function (req, res) {
    return req.ip === '123.123.123.123';
  }
});

app.use(limiter);

Customize response headers

This feature enables sending HTTP headers to the client with information about their current rate limit status.

const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  headers: true
});

app.use(limiter);

Other packages similar to express-rate-limit

ratelimiter

The 'ratelimiter' package is similar to 'express-rate-limit' but uses Redis for storing rate limit data, which makes it suitable for distributed applications. It is more complex to set up due to the dependency on Redis.

express-brute

The 'express-brute' package provides rate limiting with a focus on preventing brute-force attacks. It offers more customization options for handling lockouts and has a pluggable store system, which can be more flexible than 'express-rate-limit'.

express-slow-down

The 'express-slow-down' package is similar to 'express-rate-limit' but instead of blocking requests after a limit is reached, it slows down the response times. It's useful for slowing down repeated requests rather than completely blocking them.

README

express-rate-limit

Basic rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset. Plays nice with express-slow-down and ratelimit-header-parser.

Usage

The full documentation is available on-line.

import { rateLimit } from 'express-rate-limit'

const limiter = rateLimit({
	windowMs: 15 * 60 * 1000, // 15 minutes
	limit: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes).
	standardHeaders: 'draft-8', // draft-6: `RateLimit-*` headers; draft-7 & draft-8: combined `RateLimit` header
	legacyHeaders: false, // Disable the `X-RateLimit-*` headers.
	ipv6Subnet: 56, // Set to 60 or 64 to be less aggressive, or 52 or 48 to be more aggressive
	// store: ... , // Redis, Memcached, etc. See below.
})

// Apply the rate limiting middleware to all requests.
app.use(limiter)

Data Stores

The rate limiter comes with a built-in memory store, and supports a variety of external data stores.

Configuration

All function options may be async. Click the name for additional info and default values.

Option	Type	Remarks
windowMs	number	How long to remember requests for, in milliseconds.
limit	number | function	How many requests to allow.
message	string | json | function	Response to return after limit is reached.
statusCode	number	HTTP status code after limit is reached (default is 429).
handler	function	Function to run after limit is reached (overrides message and statusCode settings, if set).
legacyHeaders	boolean	Enable the X-Rate-Limit header.
standardHeaders	'draft-6' | 'draft-7' | 'draft-8'	Enable the Ratelimit header.
identifier	string | function	Name associated with the quota policy enforced by this rate limiter.
store	Store	Use a custom store to share hit counts across multiple nodes.
passOnStoreError	boolean	Allow (true) or block (false, default) traffic if the store becomes unavailable.
keyGenerator	function	Identify users (defaults to IP address).
ipv6Subnet	number (32-64) | function | false	How many bits of IPv6 addresses to use in default keyGenerator
requestPropertyName	string	Add rate limit info to the req object.
skip	function	Return true to bypass the limiter for the given request.
skipSuccessfulRequests	boolean	Uncount 1xx/2xx/3xx responses.
skipFailedRequests	boolean	Uncount 4xx/5xx responses.
requestWasSuccessful	function	Used by skipSuccessfulRequests and skipFailedRequests.
validate	boolean | object	Enable or disable built-in validation checks.

Thank You

Sponsored by Zuplo a fully-managed API Gateway for developers. Add dynamic rate-limiting, authentication and more to any API in minutes. Learn more at zuplo.com

Thanks to Mintlify for hosting the documentation at express-rate-limit.mintlify.app

Finally, thank you to everyone who's contributed to this project in any way! 🫶

Issues and Contributing

If you encounter a bug or want to see something added/changed, please go ahead and open an issue! If you need help with something, feel free to start a discussion!

If you wish to contribute to the library, thanks! First, please read the contributing guide. Then you can pick up any issue and fix/implement it!

License

MIT © Nathan Friedly, Vedant K