How to Set Up Rate Limiting and Rate Slowing Down in Express.js

  • Gabriel Romualdo

  • January 11, 2021

  • New

Rate limiting is the process of preventing repeated requests to a server in effort to remove spam requests. Typically, a limit is set, such as 200 requests to the server per minute, and any IP address that exceeds that limit will be blocked from making requests for a set period of time.

Rate Limiting Visualization

Rate slowing down is the process of slowing down server responses to an IP that has been sending too many requests. For example, the slow down limit could be set to 200 requests per minute, and an extra 2.5 seconds more response time could be added for each request that exceeds the limit.

Rate Slowing Down Visualization

Both of these methods of preventing spam requests are common can be an essential feature to the server or API of many projects. In this article, I'll explain how rate limiting and rate slowing can be done with Express.js in Node, and I'll discuss some of the use cases and differences between both of these techniques.

Rate Limiting in Express

  1. Install the express-rate-limit package
npm install express-rate-limit

Or:

yarn add express-rate-limit
  1. Set a rate limit and use it in an Express app
const rateLimiter = require("express-rate-limit"); 

app.set("trust proxy", 1); // use this line if you’re using a proxy (Heroku, DigitalOcean, etc.); so req IPs are the client’s IP, not the IP of the proxy service

// set a rate limit of 200 reqs/min
const rateLimit = rateLimiter({
    max: 200 // the rate limit in reqs
    windowMs: 1 * 60 * 1000, // time where limit applies
});

// use the rate limit in your Express app
app.use(rateLimit);

Rate Slowing Down in Express

  1. Install the express-slow-down package
npm install express-slow-down

Or:

yarn add express-slow-down
  1. Configure rate slow down and use it in an Express app
const rateSpeedLimiter = require("express-slow-down"); 

app.set("trust proxy", 1); // use this line if you’re using a proxy (Heroku, DigitalOcean, etc.); so req IPs are the client’s IP, not the IP of the proxy service

// allow 200 reqs/min, reqs after that are delayed by 2500ms
const rateSpeedLimit = rateSpeedLimiter({
    delayAfter: 200 // slow down limit (in reqs)
    windowMs: 1 * 60 * 1000, // time where limit applies
    delayMs: 2500 // slow down time
});

// use the rate slow down in your Express app
app.use(rateSpeedLimit);

Rate Limiting vs Rate Slowing Down

The case for rate limiting: first, rate limiting is generally more common, especially in production. Once an effective rate limit has been chosen, rate limiting is a clear way to block malicious and unwanted requests. Rate limiting is also useful for public APIs. People that offer APIs often provide a rate limit for users without an API key, or users who haven’t paid a fee for a certain number of requests.

The case for rate slowing down: rate slowing down is a more lenient approach on preventing spam requests. It can be more effective in cases where it is not ideal to outright block particular users, or if there are very rare cases where the rate limit could be exceeded, by search engine scrapers and spiders, for example.

Overall, rate limiting is a stricter and more common way to prevent spam requests, whereas rate slowing down provides a more lenient approach.

Conclusion

I hope this article helps in understanding how to implement rate limiting and rate slowing down in Express.js, and what the use cases for both methods are.

Thanks for scrolling.

— Gabriel Romualdo, January 11, 2021