How to Rate Limit API Requests in Express: Protect Your Node.js Server

14/07/2025

How to Rate Limit API Requests in Express: Protect Your Node.js Server

Learn how to implement rate limiting in your Express.js API to prevent abuse, secure your backend, and improve performance. Includes middleware setup and real-world examples.

How to Rate Limit API Requests in Express

Protect your API from abuse and ensure fair usage.

In the world of API development, protecting your backend resources from abuse, brute-force attacks, and ensuring fair usage is paramount. This is where **rate limiting** comes into play. Rate limiting is a technique used to control the number of requests a client can make to a server within a given time window. Implementing effective rate limits is a crucial security measure and a best practice for maintaining the stability and availability of your API. In this post, we'll explore how to easily implement rate limiting in your Node.js Express applications using the popular `express-rate-limit` package.

Why Rate Limit Your API?

  • Prevent Brute-Force Attacks: Limit login attempts to thwart password guessing.
  • Mitigate DDoS Attacks: Slow down or block malicious traffic floods.
  • Ensure Fair Usage: Prevent a single user or client from monopolizing server resources.
  • Control Costs: For APIs that incur costs per request, rate limiting helps manage expenses.
  • Improve Stability: Protect your server from being overwhelmed by too many requests.

Common Rate Limiting Strategies

While `express-rate-limit` simplifies implementation, it's good to know the underlying strategies:

  • Fixed Window: Allows a certain number of requests within a fixed time window. Simple but can lead to bursts at the window edges.
  • Sliding Window: A more sophisticated method that tracks requests over a moving time window, offering smoother rate limiting.
  • Token Bucket: Clients consume "tokens" for each request. Tokens are added to a bucket at a fixed rate. Requests are allowed only if there are enough tokens.

Implementing Rate Limiting with `express-rate-limit`

The `express-rate-limit` package is a robust and easy-to-use middleware for Express.js.

1. Installation

npm install express-rate-limit

2. Basic Global Rate Limiting

Apply a rate limit to all requests in your Express application. 

// server.js
const express = require('express');
const rateLimit = require('express-rate-limit');

const app = express();
const PORT = process.env.PORT || 3000;

// Apply to all requests
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again after 15 minutes',
  statusCode: 429, // Optional: default is 429 Too Many Requests
  headers: true, // Send X-RateLimit-* headers
});

// Apply the rate limiting middleware to all requests
app.use(limiter);

app.get('/', (req, res) => {
  res.send('Welcome to the API!');
});

app.listen(PORT, () => {
  console.log(`Server running on port ${PORT}`);
});

3. Applying to Specific Routes

You can apply different rate limits to different routes or groups of routes. 

// server.js (excerpt)
const loginLimiter = rateLimit({
  windowMs: 5 * 60 * 1000, // 5 minutes
  max: 5, // Allow 5 login attempts per 5 minutes
  message: 'Too many login attempts from this IP, please try again after 5 minutes',
  handler: (req, res) => { // Custom handler for when limit is exceeded
    res.status(429).json({
      success: false,
      message: 'Too many login attempts. Please try again later.'
    });
  },
  keyGenerator: (req) => { // Optional: Use a custom key (e.g., username for login)
    return req.body.email || req.ip; // Limit by email if provided, else by IP
  }
});

const apiLimiter = rateLimit({
  windowMs: 60 * 60 * 1000, // 1 hour
  max: 1000, // Allow 1000 requests per hour for general API
  message: 'Too many requests, please try again after an hour.'
});

// Apply login limiter to login route only
app.post('/api/login', loginLimiter, (req, res) => {
  // ... login logic ...
  res.send('Login successful');
});

// Apply general API limiter to all routes under /api/v1
app.use('/api/v1/', apiLimiter);

app.get('/api/v1/data', (req, res) => {
  res.json({ message: 'Here is your data!' });
});

4. Configuration Options

`express-rate-limit` offers several configurable options:

  • `windowMs`: The time window in milliseconds (e.g., `60 * 1000` for 1 minute).
  • `max`: The maximum number of requests allowed within `windowMs`.
  • `message`: The response body sent when the limit is exceeded (can be a string or a function).
  • `statusCode`: The HTTP status code to send (default `429`).
  • `headers`: Set to `true` to send `X-RateLimit-Limit`, `X-RateLimit-Remaining`, and `X-RateLimit-Reset` headers.
  • `handler`: A custom function to execute when the limit is exceeded.
  • `keyGenerator`: A function to generate a unique key for each client (defaults to `req.ip`).
  • `store`: (Advanced) A custom store to persist hit counts across multiple processes/servers (e.g., Redis, Memcached).

5. Using a Persistent Store (for Production)

For production environments with multiple server instances, the default in-memory store of `express-rate-limit` is insufficient. You'll need a distributed store like Redis. 

// npm install redis rate-limit-redis

const express = require('express');
const rateLimit = require('express-rate-limit');
const RedisStore = require('rate-limit-redis');
const { createClient } = require('redis'); // For Redis client v4+

const app = express();

// Create a Redis client
const redisClient = createClient({
  url: 'redis://localhost:6379' // Your Redis connection string
});

redisClient.on('connect', () => console.log('Redis connected!'));
redisClient.on('error', (err) => console.error('Redis Client Error', err));
redisClient.connect(); // Connect the client

const apiLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // Limit each IP to 100 requests per windowMs
  store: new RedisStore({
    sendCommand: (...args) => redisClient.sendCommand(args), // For Redis client v4+
  }),
  message: 'Too many requests, please try again later.'
});

app.use(apiLimiter);

// ... your routes ...

Rate limiting is an indispensable tool for securing and optimizing your Express.js APIs. By strategically implementing limits on incoming requests, you can effectively protect your backend from malicious attacks, prevent resource exhaustion, and ensure a fair and stable experience for all users. The `express-rate-limit` package provides a flexible and powerful way to achieve this, from simple global limits to fine-grained control over specific routes and persistent storage for production scalability. Integrate rate limiting into your API design to build more resilient and robust applications.

APIs are vulnerable to overuse, abuse, and DDoS attacks if not properly protected. One of the most effective ways to guard your Express.js backend is through rate limiting—a technique that restricts how many requests a user can make within a certain time window.

In this step-by-step guide, you’ll learn how to implement rate limiting in Express using popular middleware like express-rate-limit. We'll walk through setup, configuration options, custom error handling, and applying different limits to different routes.

Whether you're building public APIs, admin dashboards, or internal services, rate limiting is essential for maintaining server health, fair usage, and protecting sensitive resources. This tutorial will help you implement a scalable and secure solution in your Node.js app.

Next Blog

How to Build a Scalable Folder Structure for Node.js Projects

How to Build a Scalable Folder Structure for Node.js Projects

Organize your Node.js codebase for growth with a clean, scalable folder structure. Learn best practices for structuring routes, controllers, services, and more in modern backend applications.