Security News
Input Validation Vulnerabilities Dominate MITRE's 2024 CWE Top 25 List
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
express-slow-down
Advanced tools
Basic IP rate-limiting middleware for Express that slows down responses rather than blocking the user.
Basic rate-limiting middleware for Express that slows down responses rather than blocking them outright. Use to limit repeated requests to public APIs and/or endpoints such as password reset.
Plays nice with Express Rate Limit
Note: this module does not share state with other processes/servers by default. This module was extracted from Express Rate Limit 2.x and can work with it's stores:
Note: when using express-slow-down and express-rate-limit with an external store, you'll need to create two instances of the store and provide different prefixes so that they don't double-count requests.
$ npm install --save express-slow-down
For an API-only server where the rules should be applied to all requests:
const slowDown = require("express-slow-down");
app.enable("trust proxy"); // only if you're behind a reverse proxy (Heroku, Bluemix, AWS if you use an ELB, custom Nginx setup, etc)
const speedLimiter = slowDown({
windowMs: 15 * 60 * 1000, // 15 minutes
delayAfter: 100, // allow 100 requests per 15 minutes, then...
delayMs: 500 // begin adding 500ms of delay per request above 100:
// request # 101 is delayed by 500ms
// request # 102 is delayed by 1000ms
// request # 103 is delayed by 1500ms
// etc.
});
// apply to all requests
app.use(speedLimiter);
For a "regular" web server (e.g. anything that uses express.static()
), where the rate-limiter should only apply to certain requests:
const slowDown = require("express-slow-down");
app.enable("trust proxy"); // only if you're behind a reverse proxy (Heroku, Bluemix, AWS if you use an ELB, custom Nginx setup, etc)
const resetPasswordSpeedLimiter = slowDown({
windowMs: 15 * 60 * 1000, // 15 minutes
delayAfter: 5, // allow 5 requests to go at full-speed, then...
delayMs: 100 // 6th request has a 100ms delay, 7th has a 200ms delay, 8th gets 300ms, etc.
});
// only apply to POST requests to /reset-password/
app.post("/reset-password/", resetPasswordSpeedLimiter, function(req, res) {
// handle /reset-password/ request here...
});
req.slowDown
A req.slowDown
property is added to all requests with the following fields:
limit
: The options.delayAfter value (defaults to 1)current
: The number of requests in the current windowremaining
: The number of requests remaining before rate-limiting beginsresetTime
: When the window will reset and current will return to 0, and remaining will return to limit (in milliseconds since epoch - compare to Date.now()). Note: this field depends on store support. It will be undefined if the store does not provide the value.delay
: Amount of delay imposed on current request (milliseconds)60000
(1 minute).windowMs
before starting to delay responses. Number or function that returns a number. Defaults to 1
. Set to 0
to disable delaying.delayAfter
). Defaults to 1000
(1 second). Set to 0
to disable delaying.true
failed requests (response status >= 400) won't be counted. Defaults to false
.true
successful requests (response status < 400) won't be counted. Defaults to false
.function (req /*, res*/) {
return req.ip;
}
function (/*req, res*/) {
return false;
}
function (req, res, options) {
/* empty */
}
MIT © Nathan Friedly
FAQs
Basic IP rate-limiting middleware for Express that slows down responses rather than blocking the user.
The npm package express-slow-down receives a total of 12,806 weekly downloads. As such, express-slow-down popularity was classified as popular.
We found that express-slow-down demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 3 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
MITRE's 2024 CWE Top 25 highlights critical software vulnerabilities like XSS, SQL Injection, and CSRF, reflecting shifts due to a refined ranking methodology.
Security News
In this segment of the Risky Business podcast, Feross Aboukhadijeh and Patrick Gray discuss the challenges of tracking malware discovered in open source softare.
Research
Security News
A threat actor's playbook for exploiting the npm ecosystem was exposed on the dark web, detailing how to build a blockchain-powered botnet.