express-rate-limit
Basic rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset. Plays nice with express-slow-down and ratelimit-header-parser.
Usage
The full documentation is available on-line.import { rateLimit } from 'express-rate-limit'
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
limit: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes).
standardHeaders: 'draft-7', // draft-6: `RateLimit-*` headers; draft-7: combined `RateLimit` header
legacyHeaders: false, // Disable the `X-RateLimit-*` headers.
// store: ... , // Redis, Memcached, etc. See below.
})
// Apply the rate limiting middleware to all requests.
app.use(limiter)
Data Stores
The rate limiter comes with a built-in memory store, and supports a variety of external data stores.Configuration
All function options may be async. Click the name for additional info and default values.| Option | Type | Remarks | | ------------------------------------------------------------------------------------------------------------------ | -------------------------------- | ----------------------------------------------------------------------------------------------- | |
windowMs
| number
| How long to remember requests for, in milliseconds. |
| limit
| number
\| function
| How many requests to allow. |
| message
| string
\| json
\| function
| Response to return after limit is reached. |
| statusCode
| number
| HTTP status code after limit is reached (default is 429). |
| legacyHeaders
| boolean
| Enable the X-Rate-Limit
header. |
| standardHeaders
| 'draft-6'
\| 'draft-7'
| Enable the Ratelimit
header. |
| requestPropertyName
| string
| Add rate limit info to the req
object. |
| skipFailedRequests
| boolean
| Uncount 4xx/5xx responses. |
| skipSuccessfulRequests
| boolean
| Uncount 1xx/2xx/3xx responses. |
| keyGenerator
| function
| Identify users (defaults to IP address). |
| handler
| function
| Function to run after limit is reached (overrides message
and statusCode
settings, if set). |
| skip
| function
| Return true
to bypass the limiter for the given request. |
| requestWasSuccessful
| function
| Used by skipFailedRequests
and skipSuccessfulRequests
. |
| validate
| boolean
\| object
| Enable or disable built-in validation checks. |
| store
| Store
| Use a custom store to share hit counts across multiple nodes. |Thank You
Sponsored by Zuplo a fully-managed API Gateway for developers. Add dynamic rate-limiting, authentication and more to any API in minutes. Learn more at zuplo.comThanks to Mintlify for hosting the documentation at express-rate-limit.mintlify.app
<a href="https://mintlify.com/?utm_campaign=devmark&utm_medium=readme&utm_source=express-rate-limit">
<img height="75" src="https://devmark-public-assets.s3.us-west-2.amazonaws.com/sponsorships/mintlify.svg" alt="Create your docs today">
</a>
Finally, thank you to everyone who's contributed to this project in any way! 🫶
Issues and Contributing
If you encounter a bug or want to see something added/changed, please go ahead and open an issue! If you need help with something, feel free to start a discussion!If you wish to contribute to the library, thanks! First, please read the contributing guide. Then you can pick up any issue and fix/implement it!