Rate Limiting
Protect your API with rate limiting. Prevent abuse and DDoS attacks.
Rate Limiting
Why Rate Limiting?
Without rate limiting: - Users can spam your API - DDoS attacks can crash your server - Costs increase from excessive requests - Database gets overloaded
Setup
```bash npm install express-rate-limit ```
Basic Rate Limiting
```javascript const rateLimit = require('express-rate-limit');
const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100, message: 'Too many requests, please try again later', standardHeaders: true, legacyHeaders: false });
app.use(limiter); ```
**Explanation:** - `windowMs`: Time window (15 minutes) - `max`: Max requests per window (100) - User can make 100 requests in 15 minutes
Different Limits for Different Routes
```javascript const authLimiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 5, message: 'Too many login attempts' });
app.post('/login', authLimiter, async (req, res) => { });
const readLimiter = rateLimit({ windowMs: 60 * 1000, max: 100 });
app.get('/api/products', readLimiter, async (req, res) => { }); ```
Redis Store for Multiple Servers
```javascript const RedisStore = require('rate-limit-redis'); const { createClient } = require('redis');
const redisClient = createClient(); redisClient.connect();
const limiter = rateLimit({ store: new RedisStore({ client: redisClient, prefix: 'rl:' }), windowMs: 15 * 60 * 1000, max: 100 });
app.use(limiter); ```
Key Takeaway
Always use rate limiting in production. Different limits for different routes. Use Redis store for multiple servers. Stricter limits for auth endpoints.