Erudiax
Node.js6 min read

Rate Limiting

Protect your API with rate limiting. Prevent abuse and DDoS attacks.

Sarah Chen
December 19, 2025
0.0k0

Rate Limiting

Why Rate Limiting?

Without rate limiting:

  • Users can spam your API
  • DDoS attacks can crash your server
  • Costs increase from excessive requests
  • Database gets overloaded

Setup

npm install express-rate-limit

Basic Rate Limiting

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 100,
  message: 'Too many requests, please try again later',
  standardHeaders: true,
  legacyHeaders: false
});

app.use(limiter);

Explanation:

  • windowMs: Time window (15 minutes)
  • max: Max requests per window (100)
  • User can make 100 requests in 15 minutes

Different Limits for Different Routes

const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 5,
  message: 'Too many login attempts'
});

app.post('/login', authLimiter, async (req, res) => {
});

const readLimiter = rateLimit({
  windowMs: 60 * 1000,
  max: 100
});

app.get('/api/products', readLimiter, async (req, res) => {
});

Redis Store for Multiple Servers

const RedisStore = require('rate-limit-redis');
const { createClient } = require('redis');

const redisClient = createClient();
redisClient.connect();

const limiter = rateLimit({
  store: new RedisStore({
    client: redisClient,
    prefix: 'rl:'
  }),
  windowMs: 15 * 60 * 1000,
  max: 100
});

app.use(limiter);

Key Takeaway

Always use rate limiting in production. Different limits for different routes. Use Redis store for multiple servers. Stricter limits for auth endpoints.

#Node.js#Rate Limiting#Security#API

More on Node.js

Error: listen EADDRINUSE - Port Already in Use in Node.js

4 min15.6k

Understanding Node.js Event Loop: A Complete Guide

12 min12.5k

Building RESTful APIs with Node.js and Express

12 min18.2k