Basic rate-limiting middleware for Express. Use to
limit repeated requests to public APIs and/or endpoints such as password reset.
Plays nice with
express-slow-down and
ratelimit-header-parser.
1import { rateLimit } from 'express-rate-limit'
23const limiter = rateLimit({
4windowMs: 15 * 60 * 1000, // 15 minutes5limit: 100, // Limit each IP to 100 requestsper `window` (here, per 15 minutes).
6 standardHeaders: 'draft-8', // draft-6: `RateLimit-*` headers; draft-7 & draft-8: combined `RateLimit` header7 legacyHeaders: false, // Disable the `X-RateLimit-*` headers.8 ipv6Subnet: 56, // Set to 60 or 64 to be less aggressive, or 52 or 48 to be more aggressive9// store: ... , // Redis, Memcached, etc. See below.10})
1112// Apply the rate limiting middleware to all requests.13app.use(limiter)
Data Stores
The rate limiter comes with a built-in memory store, and supports a variety of
external data stores.
Configuration
All function options may be async. Click the name for additional info and
default values.
Sponsored by Zuplo a fully-managed API
Gateway for developers. Add
dynamic rate-limiting,
authentication and more to any API in minutes. Learn more at
zuplo.com
Finally, thank you to everyone who's contributed to this project in any way! 🫶
Issues and Contributing
If you encounter a bug or want to see something added/changed, please go ahead
and
open an issue!
If you need help with something, feel free to
start a discussion!
If you wish to contribute to the library, thanks! First, please read
the contributing guide.
Then you can pick up any issue and fix/implement it!