Basic rate-limiting middleware for Express. Use to limit access to public endpoints such as account creation and password reset.
Note: this module does not share state with other processes/servers, so if you need a more robust solution, I recommend checking out the excellent strict-rate-limiter
$ npm install --save express-rate-limit
var RateLimit = require('express-rate-limit');
app.enable('trust proxy'); // only if you're behind a reverse proxy (Heroku, Bluemix, AWS if you use an ELB, custom Nginx setup, etc)
// default options shown below
var limiter = RateLimit({
// window, delay, and max apply per-ip unless global is set to true
windowMs: 60 * 1000, // miliseconds - how long to keep records of requests in memory
delayMs: 1000, // milliseconds - base delay applied to the response - multiplied by number of recent hits from user's IP
max: 5, // max number of recent connections during `window` miliseconds before (temporarily) bocking the user.
global: false, // if true, IP address is ignored and setting is applied equally to all requests
message: 'You have been very naughty.. No API response for you!!' // if message is set, the provide message will be shown instead of `Too many requests, please try again later.`
});
// for an API-only web app, you can apply this globally
app.use(limiter);
// for a "regular" website, apply this only to specific endpoints
app.post('/create-account', limiter, function(req, res) {
// ...
}
You could apply this globally on a regular website, but be aware that it would then trigger on images, css, etc. So I wouldn't recommend it.
MIT © Nathan Friedly