Rate limiting in Node.js is used to control how many requests a client can make in a given time, helping prevent DoS attacks, brute-force attempts, and API abuse.
1. Using express-rate-limit (Most Common)
In apps built with , the easiest way is using express-rate-limit.
Installation
npm install express-rate-limit
Basic Implementation
const rateLimit = require("express-rate-limit");
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100, // limit each IP
message: "Too many requests, please try again later"
});
app.use(limiter);
👉 Limits each IP to 100 requests per 15 minutes
2. Apply Rate Limit on Specific Routes
Instead of applying globally, you can protect sensitive routes like login.
app.post("/login", limiter, (req, res) => {
res.send("Login route");
});
👉 Prevents brute-force attacks
3. Advanced Configuration
const limiter = rateLimit({
windowMs: 10 * 60 * 1000,
max: 50,
standardHeaders: true,
legacyHeaders: false,
});
standardHeaders→ uses modern rate limit headerslegacyHeaders→ disables old headers
4. Using Redis for Scalable Rate Limiting
For production apps (multiple servers), store limits in Redis.
- Ensures consistent limits across instances
- Works well with load balancers
Libraries:
- rate-limit-redis
- ioredis
5. Custom Rate Limiting Logic
You can also build your own:
const requests = {};
app.use((req, res, next) => {
const ip = req.ip;
requests[ip] = (requests[ip] || 0) + 1;
if (requests[ip] > 100) {
return res.status(429).send("Too many requests");
}
next();
});
👉 Not recommended for production (no expiry, no scaling)
6. Best Practices
- Apply stricter limits on:
- Login APIs
- OTP endpoints
- Combine with:
- CAPTCHA
- IP blocking
- Use reverse proxy like
- Use Redis for distributed systems
Real-world Example
- Login route → 5 requests/min
- Public APIs → 100 requests/15 min
- Admin APIs → stricter limits
Key Takeaway
Rate limiting is essential for protecting your Node.js app. The best approach is using express-rate-limit for simplicity, and Redis-based solutions for scalability, ensuring your APIs remain secure and stable under heavy traffic.
