Securing Node.Js Express App — Part 1 (Rate Limiting)

Lakshman Sundaram
3 min readApr 18, 2021

Rate-Limiting Node.Js Express App Routes

Assumption:

Assuming that you have created a basic express app by running express-generator command.

As Backend developers, We have to deal a lot with our REST API’s, the first point is to rate-limit the number of requests our application would receive. Hackers who are trying to slow down our services, would launch a DDOS attack to one/more of our endpoints, which in turn would slow down our other actual user requests.

A better way to mitigate this issue(not completely eliminate), would be to rate-limit the number of requests per IP for a specified amount of time. For this purpose npm has actually provided us with a package named “express-rate-limit”. Install this particular package by running the command in your project’s root directory.

npm install --save express-rate-limit

What we have done so far is that, we have installed the package. After installation include it in your app.js file by the following commands:

const rateLimit = require("express-rate-limit");
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
app.use(limiter);

The first command imports the library. The second is where, we actually set the parameters, for a period of 15 minutes. Alter this value as per your requirement. The third command is where we ask the express to actually use the configuration.

With the above configuration, express would now use this rate-limiting as the default configuration for all our routes.

Working:

If within a span of 15 minutes, if more than 100 requests are coming from the same client IP, the particular client IP gets blocked. Further requests from that client IP will receive a 429 Too Many Requests Response. After 15 minutes, the requests will now start to work as usual.(Client IP will be unblocked)

Now here comes a use-case, where I wanted to apply two different timeline-limit from two different routes. The npm package has actually provided us an option to do-that also.

It is as simple as that to create 2 instances of our rate-limiter-config and apply to 2 different routes.

const getLimiterConfig = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 10 // limit each IP to 10 requests per windowMs
});
app.get("/api/", getLimiterConfig);
const postLimiterConfig = rateLimit({
windowMs: 5 * 60 * 1000, // 5 minutes
max: 25 // limit each IP to 25 requests per windowMs
});
app.post("/api/", postLimiterConfig);

Now what we have done is that my get route will be running with the first configuration and my post route will be running with the second configuration.

i.e: If within a span of 15 minutes, if more than 10 GET requests are coming from the same client IP, the particular client IP gets blocked for GET requests. Whereas the post request from the same client IP will continue to work. After 15 minutes, the GET request will now start to work as usual for that particular IP which was blocked earlier.

And if more than 25 POST requests are coming from the same IP, the particular IP gets blocked only for that particular route.

Will be further extending this post for other security feature implementations in the upcoming days.

Happy Rate Limiting !!!

--

--