DEV Community

Alex Aslam
Alex Aslam

Posted on

Stop API Abuse Dead in Its Tracks: Rate Limiting with `express-rate-limit` πŸš¦πŸ”’

#webdev #programming #javascript #automation

Your API is getting hammered. Some script kiddie is brute-forcing your /login endpoint. Your cloud bill is skyrocketing because of one rogue client. You’re this close to rage-quitting DevOps forever.

Breathe. express-rate-limit is here to save your sanityβ€”with just 5 lines of code. Let’s lock things down.

Why Rate Limit? (The Brutal Truth)

  • Stop brute-force attacks β†’ No more admin:password attempts.
  • Prevent DDoS β†’ Avoid becoming a victim of someone else’s script.
  • Save $$$ β†’ Fewer requests = lower cloud bills.
  • Fair usage β†’ Protect your API for real users.

Installation (Quick Start) 

npm install express-rate-limit
Enter fullscreen mode Exit fullscreen mode

Basic Protection (5 Lines of Code) 

const rateLimit = require('express-rate-limit');  

const limiter = rateLimit({  
  windowMs: 15 * 60 * 1000, // 15 minutes  
  max: 100, // Limit each IP to 100 requests per window  
  message: 'Too many requests, please try again later.'  
});  

app.use(limiter); // Apply to all routes
Enter fullscreen mode Exit fullscreen mode

βœ… Instantly blocks:

  • Brute-force attacks
  • Runaway scripts
  • API spam

Advanced Tactics (For Paranoid Devs)

1. Targeted Rate Limiting 

// Only limit /login  
app.post('/login', limiter, (req, res) => { ... });
Enter fullscreen mode Exit fullscreen mode

2. Stricter Rules for Sensitive Routes 

const strictLimiter = rateLimit({  
  windowMs: 5 * 60 * 1000, // 5 minutes  
  max: 10, // 10 requests max  
  message: 'Slow down! Too many login attempts.'  
});  

app.post('/login', strictLimiter);
Enter fullscreen mode Exit fullscreen mode

3. Bypass for Trusted IPs (Internal Services) 

const limiter = rateLimit({  
  windowMs: 15 * 60 * 1000,  
  max: 100,  
  skip: (req) => req.ip === '192.168.1.1' // Bypass for internal IP  
});
Enter fullscreen mode Exit fullscreen mode

4. Redis Backend (For Distributed Apps) 

npm install rate-limit-redis
Enter fullscreen mode Exit fullscreen mode 
const RedisStore = require('rate-limit-redis');  
const limiter = rateLimit({  
  store: new RedisStore({  
    redisURL: 'redis://localhost:6379'  
  }),  
  windowMs: 15 * 60 * 1000,  
  max: 100  
});
Enter fullscreen mode Exit fullscreen mode

Real-World Rules of Thumb

Endpoint Rate Limit Why
/login 10 requests/5 mins Stop brute force attacks
/api/search 100 requests/15 mins Prevent scraping
/public/data 500 requests/1 hour Fair usage for open APIs

What Rate Limiting Won’t Fix

  • Sophisticated DDoS attacks β†’ Use Cloudflare/WAF.
  • Auth bypass exploits β†’ Validate inputs properly.
  • Bots pretending to be humans β†’ Add CAPTCHA.

TL;DR:

  1. npm install express-rate-limit
  2. Copy-paste the 5-line snippet.
  3. Sleep better knowing your API isn’t being abused.

Your Move:

  1. Add rate-limiting to your most abused endpoint today.
  2. Test with curl -X POST http://localhost:3000/login -v (watch HTTP 429s!).

Tag the dev whose API is being used as a punching bag. They need this.

Free Toolkit:

Rate limiting war story? Share below! Let’s swap battle scars. πŸ’₯

Top comments (0)