DEV Community

Alex Aslam
Alex Aslam

Posted on

Stop API Abuse Dead in Its Tracks: Rate Limiting with `express-rate-limit` ๐Ÿšฆ๐Ÿ”’

#webdev #programming #javascript #automation

Your API is getting hammered. Some script kiddie is brute-forcing your /login endpoint. Your cloud bill is skyrocketing because of one rogue client. Youโ€™re this close to rage-quitting DevOps forever.

Breathe. express-rate-limit is here to save your sanityโ€”with just 5 lines of code. Letโ€™s lock things down.

Why Rate Limit? (The Brutal Truth)

  • Stop brute-force attacks โ†’ No more admin:password attempts.
  • Prevent DDoS โ†’ Avoid becoming a victim of someone elseโ€™s script.
  • Save $$$ โ†’ Fewer requests = lower cloud bills.
  • Fair usage โ†’ Protect your API for real users.

Installation (Quick Start) 

npm install express-rate-limit
Enter fullscreen mode Exit fullscreen mode

Basic Protection (5 Lines of Code) 

const rateLimit = require('express-rate-limit');  

const limiter = rateLimit({  
  windowMs: 15 * 60 * 1000, // 15 minutes  
  max: 100, // Limit each IP to 100 requests per window  
  message: 'Too many requests, please try again later.'  
});  

app.use(limiter); // Apply to all routes
Enter fullscreen mode Exit fullscreen mode

โœ… Instantly blocks:

  • Brute-force attacks
  • Runaway scripts
  • API spam

Advanced Tactics (For Paranoid Devs)

1. Targeted Rate Limiting 

// Only limit /login  
app.post('/login', limiter, (req, res) => { ... });
Enter fullscreen mode Exit fullscreen mode

2. Stricter Rules for Sensitive Routes 

const strictLimiter = rateLimit({  
  windowMs: 5 * 60 * 1000, // 5 minutes  
  max: 10, // 10 requests max  
  message: 'Slow down! Too many login attempts.'  
});  

app.post('/login', strictLimiter);
Enter fullscreen mode Exit fullscreen mode

3. Bypass for Trusted IPs (Internal Services) 

const limiter = rateLimit({  
  windowMs: 15 * 60 * 1000,  
  max: 100,  
  skip: (req) => req.ip === '192.168.1.1' // Bypass for internal IP  
});
Enter fullscreen mode Exit fullscreen mode

4. Redis Backend (For Distributed Apps) 

npm install rate-limit-redis
Enter fullscreen mode Exit fullscreen mode 
const RedisStore = require('rate-limit-redis');  
const limiter = rateLimit({  
  store: new RedisStore({  
    redisURL: 'redis://localhost:6379'  
  }),  
  windowMs: 15 * 60 * 1000,  
  max: 100  
});
Enter fullscreen mode Exit fullscreen mode

Real-World Rules of Thumb

Endpoint Rate Limit Why
/login 10 requests/5 mins Stop brute force attacks
/api/search 100 requests/15 mins Prevent scraping
/public/data 500 requests/1 hour Fair usage for open APIs

What Rate Limiting Wonโ€™t Fix

  • Sophisticated DDoS attacks โ†’ Use Cloudflare/WAF.
  • Auth bypass exploits โ†’ Validate inputs properly.
  • Bots pretending to be humans โ†’ Add CAPTCHA.

TL;DR:

  1. npm install express-rate-limit
  2. Copy-paste the 5-line snippet.
  3. Sleep better knowing your API isnโ€™t being abused.

Your Move:

  1. Add rate-limiting to your most abused endpoint today.
  2. Test with curl -X POST http://localhost:3000/login -v (watch HTTP 429s!).

Tag the dev whose API is being used as a punching bag. They need this.

Free Toolkit:

Rate limiting war story? Share below! Letโ€™s swap battle scars. ๐Ÿ’ฅ

Top comments (0)