Implementing Rate Limiting in Node.js with Express and TypeScript

Introduction

Rate limiting is a fundamental mechanism for controlling the number of requests a client can make to a server in a given time frame. In a world where more than 30% of web traffic comes from malicious bots, that proactive strategy is critical to protect servers from abuse.

What Is Rate Limiting?

• Rate limiting is a strategy for limiting network traffic by placing a cap on how often an actor can call the same API in a given time frame. That's essential for controlling the volume of requests a client can make to a server in a certain amount of time.

• To better understand how this mechanism works, consider a scenario where you have a Node.js backend that exposes some public endpoints. Suppose a malicious user targets your server and writes a simple script to overload it with automated requests. The performance of your server will downgrade as a result, hindering the experience of all other users. In an extreme situation, your server may even go offline. By limiting the number of requests the same IP can make in a given time frame, you can avoid all that!

Specifically, there are two approaches to rate limiting:

• Blocking incoming requests: When a client exceeds the defined limits, deny its additional requests.

• Slowing down requests: Introduce a delay for requests beyond the limits, making the caller wait longer and longer for a response.

  Why You Need API Rate Limiting in Node.js

• Implementing API rate limiting is crucial for maintaining stability, security, and fair usage of your Node.js application. In particular, controlling the rate at which requests are processed helps enforce usage limits, prevents server overloads, and safeguards against malicious attacks.

Here's a closer look at scenarios where limiting requests in Node.js is especially useful:

• Anti-bot and anti-scraping measures: Limiting the frequency of requests from a single source helps mitigate bot activity. Automated scripts might overload your public endpoints with a high volume of traffic, but rate limiting the incoming requests is an effective defense against that malicious behavior.
• DoS attack prevention: Rate limiting is a key strategy to protect your backend against DoS (Denial of Service) attacks. By restricting the rate at which requests are accepted, you can reduce the impact of large-scale, coordinated attacks that attempt to overwhelm your server infrastructure.
• Implementing limitations for paid plans: For applications offering different subscription tiers, rate limiting enables you to enforce usage limits based on a user's plan. This ensures that users can access resources only as frequently as determined by their plan

In the following two sections, you'll learn how to integrate rate limiting behavior into a Node.js application using the following libraries:

• express-rate-limit: To block requests that exceed specified limits.
• express-slow-down: To slow down similar requests coming from the same actor. Let's dive in!

Blocking Requests With express-rate-limit in Node.js Follow the steps below to block excess requests in your Node.js backend using express-rate-limit.

Getting Started

express-rate-limit is an npm library that provides a rate limiting middleware for Express, so it's easier to limit repeated requests to all APIs or only to specific endpoints. The middleware allows you to control how many requests the same user can make to the same endpoints before an application starts returning 429 Too Many Requests errors.

   npm install express-rate-limit

import { rateLimit } from "express-rate-limit";

const limiter = rateLimit({
  windowMs: 5 * 60 * 1000, // 5 minutes
  limit: 10, // each IP can make up to 10 requests per `windowsMs` (5 minutes)
  standardHeaders: true, // add the `RateLimit-*` headers to the response
  legacyHeaders: false, // remove the `X-RateLimit-*` headers from the response
});

app.use(limiter);

app.use("/public", limiter);

app.get("/hello-world", limiter, (req, res) => {
  // ...
});

import express from "express";
import rateLimit from "express-rate-limit";
// ... other imports
 
const app = express();
 
// Configure general rate limiter
const generalLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per windowMs
  standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
  legacyHeaders: false, // Disable the `X-RateLimit-*` headers
});
 
// Apply general rate limiter to all requests
app.use(generalLimiter);
 
// Configure stricter rate limiter for sensitive operations
const strictLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 50, // Limit each IP to 50 requests per windowMs
  standardHeaders: true,
  legacyHeaders: false,
});
 
// Apply stricter rate limit to sensitive routes
app.use("/api/v1/sale", strictLimiter);
app.use("/api/v1/user", strictLimiter);
app.use("/api/v1/expense", strictLimiter);
 
// ... rest of your route configurations
 
app.use("/api/v1", customerRouter);
app.use("/api/v1", userRouter);
app.use("/api/v1", shopRouter);
// ... other routes
 
// Custom error handler for rate limiting
app.use(
  (
    err: any,
    req: express.Request,
    res: express.Response,
    next: express.NextFunction
  ) => {
    if (err instanceof rateLimit.RateLimitExceeded) {
      return res.status(429).json({
        error: "Too many requests, please try again later.",
      });
    }
    next(err);
  }
);
 
app.listen(PORT, () => {
  console.log(`Server is running on http://localhost:${PORT}`);
});

npm install express-slow-down

import { rateLimit } from "express-slow-down";

const limiter = slowDown({
  windowMs: 15 * 60 * 1000, // 5 minutes
  delayAfter: 10, // allow 10 requests per `windowMs` (5 minutes) without slowing them down
  delayMs: (hits) => hits * 200, // add 200 ms of delay to every request after the 10th
  maxDelayMs: 5000, // max global delay of 5 seconds
});

app.use(limiter);