Why Rate Limiting Matters
Imagine: You are running an online store, and suddenly a bot floods your checkout API with thousands of requests. Your server crashes, real customers cannot buy anything, and you lose revenue. Solution? Rate limiting. It blocks abusive requests while keeping your backend fast for real users. In this article, you will learn how to implement rate limiting in Node.js using Express, all in under 4 minutes.
What is Rate Limiting?
Rate limiting controls how many requests a user or IP can make in a given timeframe. It helps
- Prevent DDoS attacks (Distributed Denial of Service)
- Stop brute-force login attempts
- Avoid API abuse from bots
- Ensure fair resource usage for all users
Quick and Simple Rate Limiting in Express
The easiest way to implement rate limiting in Express is with the express-rate-limit package.
Step 1: Install express-rate-limit
Assuming you have Node.js's latest version installed, and you are using an IDE like Visual Studio Code. Run this command in your project
1npm install express-rate-limitStep 2: Apply Rate Limiting to Your API
In your server.js or app.js, add this middleware
1const express = require("express");
2const rateLimit = require("express-rate-limit");
3
4const app = express();
5
6// Create rate limiter: Max 100 requests per 15 minutes per IP
7const limiter = rateLimit({
8 windowMs: 15 * 60 * 1000, // 15 minutes
9 max: 100, // Limiting each IP to 100 requests per window
10 message: "Too many requests, please try again later.",
11});
12
13app.use("/api", limiter); // Apply to all API routes
14
15app.get("/api/data", (req, res) => {
16 res.json({ message: "This is protected by rate limiting!" });
17});
18
19app.listen(3000, () => console.log("Server running on port 3000"));
20Conclusion
Rate limiting is your first line of defense against bots, spam, and DDoS attacks. By adding a few lines of code, you ensure your API stays fast, secure, and fair for all users.
