How to Rate Limit in Node.js: Simple Guide with Examples
To rate limit in
Node.js, use middleware like express-rate-limit which controls how many requests a user can make in a time window. This helps prevent abuse by limiting repeated requests from the same IP or user.Syntax
The basic syntax for using express-rate-limit involves creating a rate limiter with options and applying it as middleware in your Express app.
windowMs: Time frame for rate limiting in milliseconds.max: Maximum number of requests allowed in the time frame.message: Response sent when limit is exceeded.
javascript
import rateLimit from 'express-rate-limit'; const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // limit each IP to 100 requests per windowMs message: 'Too many requests, please try again later.' }); app.use(limiter);
Example
This example shows a simple Express server with rate limiting applied globally. It limits each IP to 5 requests every 10 seconds and sends a friendly message when the limit is reached.
javascript
import express from 'express'; import rateLimit from 'express-rate-limit'; const app = express(); const limiter = rateLimit({ windowMs: 10 * 1000, // 10 seconds max: 5, // limit each IP to 5 requests per windowMs message: 'Too many requests from this IP, please wait 10 seconds.' }); app.use(limiter); app.get('/', (req, res) => { res.send('Hello! You are within the rate limit.'); }); app.listen(3000, () => { console.log('Server running on http://localhost:3000'); });
Output
Server running on http://localhost:3000
// When requests exceed 5 within 10 seconds:
// Response: "Too many requests from this IP, please wait 10 seconds."
Common Pitfalls
Common mistakes when implementing rate limiting include:
- Not applying the limiter middleware before routes, so it doesn't protect endpoints.
- Setting too high or too low limits without considering user experience.
- Not handling trusted proxies correctly, causing wrong IP detection.
- Using global limits when some routes need different limits.
Always test your limits and adjust windowMs and max values carefully.
javascript
/* Wrong: Applying limiter after routes - no effect */ app.get('/', (req, res) => { res.send('Hello!'); }); app.use(limiter); // Too late, routes already handled /* Right: Apply limiter before routes */ app.use(limiter); app.get('/', (req, res) => { res.send('Hello!'); });
Quick Reference
| Option | Description |
|---|---|
| windowMs | Time window in milliseconds for counting requests |
| max | Maximum number of requests allowed per windowMs |
| message | Response sent when the limit is exceeded |
| standardHeaders | Send rate limit info in RateLimit-* headers (true/false) |
| legacyHeaders | Enable legacy X-RateLimit-* headers (true/false) |
Key Takeaways
Use express-rate-limit middleware to easily add rate limiting in Node.js Express apps.
Set windowMs and max options to control request limits and time frames.
Apply the rate limiter middleware before your routes to protect them.
Test and adjust limits to balance security and user experience.
Handle proxy settings if your app is behind a proxy to get correct client IPs.