Rate Limiting

Limits how many requests a client can make in a time window. Protects against brute-force attacks and API abuse.

Syntax

environments-and-security
rateLimit({ windowMs, max, message })

Example

environments-and-security
import rateLimit from "express-rate-limit";

// Global limiter
app.use(rateLimit({ windowMs: 15 * 60 * 1000, max: 100 }));

// Strict limiter for auth routes
const authLimiter = rateLimit({
  windowMs: 15 * 60 * 1000,
  max: 5,
  message: { error: "Too many attempts. Try again in 15 minutes." },
  standardHeaders: true,
  legacyHeaders: false,
});
app.use("/api/auth/login", authLimiter);