Bird
Raised Fist0
Expressframework~20 mins

Rate limiting with express-rate-limit - Practice Problems & Coding Challenges

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallPerf

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Challenge - 5 Problems
🎖️
Rate Limiting Master
Get all challenges correct to earn this badge!
Test your skills under time pressure!
component_behavior
intermediate
2:00remaining
What happens when the rate limit is exceeded?

Consider this Express app using express-rate-limit:

const rateLimit = require('express-rate-limit');
const limiter = rateLimit({ windowMs: 60000, max: 3 });
app.use(limiter);
app.get('/', (req, res) => res.send('Hello'));

What response will the client receive after making 4 requests within one minute?

Express
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({ windowMs: 60000, max: 3 });
app.use(limiter);
app.get('/', (req, res) => res.send('Hello'));
AThe 4th request returns status 429 with message 'Too many requests, please try again later.'
BThe 4th request returns status 200 with 'Hello' as usual.
CThe 4th request returns status 500 due to server error.
DThe 4th request is queued and delayed until the window resets.
Attempts:
2 left
💡 Hint

Think about what max and windowMs control in rate limiting.

📝 Syntax
intermediate
2:00remaining
Identify the syntax error in this rate limiter setup

Which option contains a syntax error when creating a rate limiter with express-rate-limit?

const rateLimit = require('express-rate-limit');
const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });
app.use(limiter);
Express
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });
app.use(limiter);
Aconst limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100 });
Bconst limiter = rateLimit({ windowMs: '15m', max: 100 });
Cconst limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: '100' });
Dconst limiter = rateLimit({ windowMs: 15 * 60 * 1000 max: 100 });
Attempts:
2 left
💡 Hint

Look carefully at the object syntax inside the parentheses.

state_output
advanced
2:00remaining
What is the value of the 'X-RateLimit-Remaining' header after 2 requests?

Given this rate limiter:

const limiter = rateLimit({ windowMs: 60000, max: 5 });
app.use(limiter);

After a client makes 2 requests within the window, what will the X-RateLimit-Remaining header value be in the response?

Express
const limiter = rateLimit({ windowMs: 60000, max: 5 });
app.use(limiter);
A'5'
B'2'
C'3'
D'0'
Attempts:
2 left
💡 Hint

Remember the header shows how many requests remain before limit is hit.

🔧 Debug
advanced
2:00remaining
Why does this rate limiter not block requests as expected?

Consider this code snippet:

const rateLimit = require('express-rate-limit');
const limiter = rateLimit({ windowMs: 60000, max: 2 });
app.get('/api', limiter, (req, res) => res.send('OK'));
app.get('/api', (req, res) => res.send('Fallback'));

Why might the rate limiter not block requests after 2 hits?

Express
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({ windowMs: 60000, max: 2 });
app.get('/api', limiter, (req, res) => res.send('OK'));
app.get('/api', (req, res) => res.send('Fallback'));
AThe limiter is not applied because max is too low.
BThe second route for '/api' overrides the first, bypassing the limiter.
CThe limiter middleware is missing next() call.
DThe windowMs value is too short to trigger blocking.
Attempts:
2 left
💡 Hint

Think about how Express matches routes in order.

🧠 Conceptual
expert
3:00remaining
How to implement different rate limits per route using express-rate-limit?

You want to apply a strict rate limit on /login (max 5 requests per 10 minutes) and a looser limit on /api (max 100 requests per 15 minutes). Which setup correctly achieves this?

ACreate two limiters with different configs and apply each to its route separately.
BCreate one limiter with max 5 and apply it globally to all routes.
CCreate two limiters but apply only one to all routes.
DCreate one limiter with max 100 and apply it globally to all routes.
Attempts:
2 left
💡 Hint

Think about how middleware can be applied per route.

Practice

(1/5)
1. What is the main purpose of using express-rate-limit in an Express app?
easy
A. To handle database connections efficiently
B. To speed up the server response time
C. To automatically restart the server on code changes
D. To limit the number of requests a user can make in a time window

Solution

  1. Step 1: Understand the purpose of rate limiting

    Rate limiting is used to protect the server by restricting how many requests a user can send in a short time.

  2. Step 2: Identify what express-rate-limit does

    This package helps set these limits easily in Express apps.

  3. Final Answer:

    To limit the number of requests a user can make in a time window -> Option D

  4. Quick Check:

    Rate limiting = limit requests [OK]
Hint: Rate limiting controls request count per time window [OK]
Common Mistakes:
  • Thinking it speeds up server responses
  • Confusing it with server restart tools
  • Assuming it manages database connections
2. Which of the following is the correct way to import and use express-rate-limit in an Express app?
easy
A. const rateLimit = require('express-rate-limit'); app.use(rateLimit({ windowMs: 60000, max: 5 }));
B. const rateLimit = require('express-rate-limit'); app.use(rateLimit());
C. import rateLimit from 'express-rate-limit'; app.use(rateLimit());
D. import rateLimit from 'express-rate-limit'; app.use(rateLimit);

Solution

  1. Step 1: Check import style for CommonJS

    Using require is correct for many Express apps.

  2. Step 2: Verify usage of rateLimit function with options

    We must call rateLimit with an options object like { windowMs: 60000, max: 5 } to set limits.

  3. Final Answer:

    const rateLimit = require('express-rate-limit'); app.use(rateLimit({ windowMs: 60000, max: 5 })); -> Option A

  4. Quick Check:

    Import + call with options = B [OK]
Hint: Call rateLimit with options object, not empty or missing [OK]
Common Mistakes:
  • Forgetting to call rateLimit as a function
  • Using import without proper setup
  • Passing rateLimit directly without options
3. Given this code snippet, what will happen if a user sends 7 requests within 1 minute?
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({ windowMs: 60000, max: 5 });
app.use(limiter);
medium
A. All 7 requests will be accepted without any limit
B. Only the first 2 requests will be accepted; the rest will be blocked
C. Only the first 5 requests will be accepted; the next 2 will be blocked
D. The server will crash after 5 requests

Solution

  1. Step 1: Understand the max and windowMs settings

    The limit is 5 requests per 60000 milliseconds (1 minute).

  2. Step 2: Analyze the request count

    The first 5 requests are allowed; requests 6 and 7 exceed the limit and get blocked.

  3. Final Answer:

    Only the first 5 requests will be accepted; the next 2 will be blocked -> Option C

  4. Quick Check:

    max 5 requests = C [OK]
Hint: Requests over max in windowMs get blocked [OK]
Common Mistakes:
  • Assuming all requests pass without limit
  • Thinking limit resets before 1 minute
  • Believing server crashes on limit
4. Identify the error in this code snippet for rate limiting:
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({ max: 10 });
app.use(limiter);
medium
A. Incorrect import statement for express-rate-limit
B. Missing windowMs option to define the time window
C. Using max instead of limit option
D. Calling app.use before defining limiter

Solution

  1. Step 1: Check required options for rateLimit

    The windowMs option is needed to specify the time frame for the limit.

  2. Step 2: Identify missing option

    The code only sets max but does not set windowMs, so the time window is undefined.

  3. Final Answer:

    Missing windowMs option to define the time window -> Option B

  4. Quick Check:

    windowMs missing = A [OK]
Hint: Always set windowMs with max for rateLimit [OK]
Common Mistakes:
  • Forgetting windowMs causes no time limit
  • Confusing max with limit option
  • Wrong import syntax
5. You want to apply rate limiting only to the login route to prevent brute force attacks. Which code snippet correctly applies express-rate-limit only to /login?
hard
A. app.use('/login', rateLimit({ windowMs: 60000, max: 5 }));
B. app.use(rateLimit({ windowMs: 60000, max: 5 })); app.use('/login');
C. app.get('/login', rateLimit({ windowMs: 60000, max: 5 }));
D. app.post(rateLimit({ windowMs: 60000, max: 5 }), '/login');

Solution

  1. Step 1: Understand how to apply middleware to specific routes

    Using app.use('/login', middleware) applies the middleware only to the /login path.

  2. Step 2: Check the correct syntax for rateLimit middleware

    Calling rateLimit with options returns middleware to pass to app.use.

  3. Final Answer:

    app.use('/login', rateLimit({ windowMs: 60000, max: 5 })); -> Option A

  4. Quick Check:

    Middleware on route = A [OK]
Hint: Use app.use with path and rateLimit middleware [OK]
Common Mistakes:
  • Calling app.use without path for specific routes
  • Using app.get or app.post incorrectly with middleware
  • Passing middleware after route string