Back to course

Rate Limiting

TL;DR: Limit how many requests a client can make in a given window. Apply stricter limits on sensitive endpoints like login and password reset. It stops brute force attacks and reduces abuse.

client1000 reqper minuterate limiterallows: 100/15minrejects: 429 too manyrealusers

A login endpoint with no rate limiting is an open invitation to brute force. An attacker can script thousands of password attempts per minute and eventually find the right one. Without any throttling, your app has no way to slow them down.

Rate limiting puts a ceiling on how many requests a client can make in a given time window. Hit the ceiling and they get a 429 response. Wait for the window to reset, and they can try again.

The limits should match the endpoint. A public search API might reasonably allow 100 requests per minute. A login endpoint probably shouldn’t allow more than 10. A password reset endpoint even fewer.

const rateLimit = require('express-rate-limit');
const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  limit: 100
});
app.use('/api/', apiLimiter);

A few things worth getting right: use IP-based limiting as a baseline, but combine it with user-based limiting for authenticated routes. And make sure your limits are not so aggressive that they block real users during normal usage spikes.

Further reading: OWASP Rate Limiting Cheat Sheet