Implementing rate limiting for API endpoints in Express.js

17 Sep 2023

Rate limiting is a crucial aspect of any API implementation to protect server resources and prevent abuse. In this blog post, we will discuss how to implement rate limiting for API endpoints in Express.js using the express-rate-limit middleware.

What is Rate Limiting?

Rate limiting is a technique used to control the rate of incoming requests to an API. It sets a limit on the number of requests an API client can make within a specific time period. By implementing rate limiting, you can prevent malicious or abusive requests, distribute server load, and ensure fair resource allocation.

Installing the Express Rate Limit Middleware

First, let’s install the express-rate-limit middleware package using npm:

npm install express-rate-limit

Implementing Rate Limiting in Express.js

To implement rate limiting in your Express.js application, follow these steps:

Require the express-rate-limit package at the top of your JavaScript file:

const rateLimit = require("express-rate-limit");

Create a rate limiter using the rateLimit middleware:

const limiter = rateLimit({
  windowMs: 60 * 1000, // 1 minute
  max: 100, // maximum of 100 requests per windowMs
});

In the above example, we set a limit of 100 requests per minute.

Apply the rate limiter to your desired API endpoint(s):

app.use("/api/endpoint", limiter);

Replace /api/endpoint with the actual path of your API endpoint.

Customizing Rate Limit Settings

The rateLimit middleware provides various options to customize rate limit settings. Here are a few common options:

windowMs: The time window in milliseconds during which the requests are counted. For example, 60 * 1000 represents a window of 1 minute.
max: The maximum number of requests allowed within the defined time window.
message: The response message sent to the client when the rate limit is exceeded.

You can find more options and details in the official documentation.

Handling Rate Limit Exceeded Errors

By default, when a client exceeds the rate limit, the express-rate-limit middleware responds with a 429 Too Many Requests status code. However, you can customize this behavior by handling the error in your Express.js application:

app.use((req, res, next) => {
  // Handle rate limit exceeded error
  if (req.rateLimitExceeded) {
    return res.status(429).json({ error: "Too Many Requests" });
  }
  next();
});

In the above example, we return a JSON response with a status code of 429 and an error message when the rate limit is exceeded.

Conclusion

Implementing rate limiting for API endpoints in Express.js is crucial to protect your server resources and ensure fair usage. By using the express-rate-limit middleware, you can easily set restrictions on the number of requests per time period. Customizing rate limit settings and handling rate limit exceeded errors provide additional control over the rate limiting behavior.

#expressjs #ratelimiting