Backend security isn’t optional; it is the foundation of any reliable application. No matter how good your features are, a vulnerable backend can expose sensitive data, allow abuse, or even bring your entire system down. This is exactly why we use rate limiting to prevent abuse, CORS to control access, and Helmet to secure our application at the protocol level.
For day 46, the goal was to understand what rate limiting, CORS, and helmet are and why they are used.
What is Rate Limiting?
Rate limiting restricts how many requests a client can make to your server within a specific time window.
Why it matters
It protects your API from:
- Brute-force attacks
- DDoS attempts
- API abuse
Example (Express.js)
import express from "express";
import rateLimit from "express-rate-limit";
const app = express();
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP
message: "Too many requests, please try again later."
});
app.use(limiter);
app.get("/", (req, res) => {
res.send("Hello World!");
});
app.listen(3000);
Use Cases
- Login endpoints (prevent brute force)
- Public APIs (avoid spam)
- Password reset routes
🌐 What is CORS?
CORS (Cross-Origin Resource Sharing) controls which domains can access your backend.
Why it matters
Browsers block requests from unknown origins by default, CORS lets you define who is allowed.
Example (Express.js)
import cors from "cors";
app.use(cors({
origin: "https://yourfrontend.com",
methods: ["GET", "POST"],
credentials: true
}));
Use Cases
- Allow frontend (React/Vue) to talk to backend
- Restrict API access to trusted domains
- Enable secure cookie sharing
🛡️ What is Helmet?
Helmet helps secure your app by setting various HTTP headers.
Why it matters
It protects against:
- XSS (Cross-Site Scripting)
- Clickjacking
- MIME sniffing
💻 Example (Express.js)
import helmet from "helmet";
app.use(helmet());
Use Cases
- Add security headers automatically
- Prevent common web vulnerabilities
- Harden production APIs
⚡ Using Rate Limiting, CORS & Helmet Together
When combined, these tools create a strong security layer.
Combined Use Cases
- Protect login routes from brute-force + restrict origin + secure headers
- Secure public APIs from abuse and unauthorized access
- Build production-ready backend for SaaS apps
- Prevent bots while allowing only trusted frontend apps
🌍 Real-World Example: Secure Login API
Let’s say you're building a login system for a web app.
🎯 Goals
- Prevent brute-force attacks → Rate Limiting
- Allow only your frontend → CORS
- Secure headers → Helmet
Full Example
import express from "express";
import rateLimit from "express-rate-limit";
import cors from "cors";
import helmet from "helmet";
const app = express();
// 1. Helmet (Security Headers)
app.use(helmet());
// 2. CORS (Allow only frontend)
app.use(cors({
origin: "https://myfrontend.com",
methods: ["POST"],
credentials: true
}));
// 3. Rate Limiting (Protect login)
const loginLimiter = rateLimit({
windowMs: 10 * 60 * 1000, // 10 minutes
max: 5, // only 5 attempts
message: "Too many login attempts, try again later"
});
app.use(express.json());
// Login Route
app.post("/login", loginLimiter, (req, res) => {
const { username, password } = req.body;
if (username === "admin" && password === "1234") {
return res.send("Login successful");
}
res.status(401).send("Invalid credentials");
});
app.listen(3000, () => console.log("Server running on port 3000"));
What’s happening here?
- Helmet → protects headers automatically
-
CORS → only allows requests from
myfrontend.com - Rate Limiting → blocks repeated login attempts
This setup significantly reduces attack surfaces.
Final Thoughts
In one line:
- Rate Limiting → prevents abuse
- CORS → controls who can access your API
- Helmet → secures HTTP headers
Backend security isn’t about adding one tool; it is about layering protections. Rate limiting defends against abuse, CORS ensures controlled access, and Helmet strengthens your app at the protocol level. Together, they form a simple yet powerful security baseline for any modern backend.
If you’re building APIs and not using these yet, you’re leaving doors open that attackers are actively looking for.
Thanks for reading. Feel free to share your thoughts!
Top comments (0)