Basic rate-limiting middleware for Express. Use to limit repeated requests to public APIs and/or endpoints such as password reset.
A brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence.
Here is the full control functions;
storeAn instance ofExpressBrute.MemoryStoreor some other ExpressBrute store (see a list of known stores below).optionsfreeRetriesThe number of retires the user has before they need to start waiting (default: 2)minWaitThe initial wait time (in milliseconds) after the user runs out of retries (default: 500 milliseconds)maxWaitThe maximum amount of time (in milliseconds) between requests the user needs to wait (default: 15 minutes). The wait for a given request is determined by adding the time the user needed to wait for the previous two requests.lifetimeThe length of time (in seconds since the last request) to remember the number of requests that have been made by an IP. By default it will be set tomaxWait * the number of attempts before you hit maxWaitto discourage simply waiting for the lifetime to expire before resuming an attack. With default values this is about 6 hours.failCallbackGets called with (req,resp,next,nextValidRequestDate) when a request is rejected (default: ExpressBrute.FailForbidden)attachResetToRequestSpecify whether or not a simplified reset method should be attached atreq.brute.reset. The simplified method takes only a callback, and resets allExpressBrutemiddleware that was called on the current request. If multiple instances ofExpressBrutehave middleware on the same request, only those withattachResetToRequestset to true will be reset (default: true)refreshTimeoutOnRequestDefines whether thelifetimecounts from the time of the last request that ExpressBrute didn’t prevent for a given IP (true) or from of that IP’s first request (false). Useful for allowing limits over fixed periods of time, for example: a limited number of requests per day. (Default: true). More infohandleStoreErrorGets called whenever an error occurs with the persistent store from which ExpressBrute cannot recover. It is passed an object containing the propertiesmessage(a description of the message),parent(the error raised by the session store), and [key,ip] or [req,res,next] depending on whether or the error occurs duringresetor in the middleware itself.
Install
$ npm install –save express-rate-limit
Usage
For an API-only server where the rate-limiter should be applied to all requests:
var RateLimit = ;
app; // only if you’re behind a reverse proxy (Heroku, Bluemix, AWS if you use an ELB, custom Nginx setup, etc)
var limiter =
windowMs: 15*60*1000 // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
delayMs: 0 // disable delaying – full speed until the max limit is reached
;
// apply to all requests
app;
For a “regular” web server (e.g. anything that uses express.static()), where the rate-limiter should only apply to certain requests:
var RateLimit = ;
app; // only if you’re behind a reverse proxy (Heroku, Bluemix, AWS if you use an ELB, custom Nginx setup, etc)
var apiLimiter =
windowMs: 15*60*1000 // 15 minutes
max: 100
delayMs: 0 // disabled
;
// only apply to requests that begin with /api/
app;
Create multiple instances to apply different rules to different routes:
var RateLimit = ;
app; // only if you’re behind a reverse proxy (Heroku, Bluemix, AWS if you use an ELB, custom Nginx setup, etc)
var apiLimiter =
windowMs: 15*60*1000 // 15 minutes
max: 100
delayMs: 0 // disabled
;
app;
var createAccountLimiter =
windowMs: 60*60*1000 // 1 hour window
delayAfter: 1 // begin slowing down responses after the first request
delayMs: 3*1000 // slow down subsequent responses by 3 seconds per request
max: 5 // start blocking after 5 requests
message: “Too many accounts created from this IP, please try again after an hour“
;
app
;
A req.rateLimit property is added to all requests with the limit, current, and remainingnumber of requests for usage in your application code.
Configuration
- windowMs: milliseconds – how long to keep records of requests in memory. Defaults to
60000(1 minute). - delayAfter: max number of connections during
windowMsbefore starting to delay responses. Defaults to1. Set to0to disable delaying. - delayMs: milliseconds – how long to delay the response, multiplied by (number of recent hits –
delayAfter). Defaults to1000(1 second). Set to0to disable delaying. - max: max number of connections during
windowMsmilliseconds before sending a 429 response. Defaults to5. Set to0to disable. - message: Error message returned when
maxis exceeded. Defaults to'Too many requests, please try again later.' - statusCode: HTTP status code returned when
maxis exceeded. Defaults to429. - headers: Enable headers for request limit (
X-RateLimit-Limit) and current usage (X-RateLimit-Remaining) on all responses and time to wait before retrying (Retry-After) whenmaxis exceeded. - skipFailedRequests: when
truefailed requests (response status >= 400) won’t be counted. Defaults tofalse. - keyGenerator: Function used to generate keys. By default user IP address (req.ip) is used. Defaults:
{
return reqip;
}
- skip: Function used to skip requests. Returning true from the function will skip limiting for that request. Defaults:
{
return false;
}
- handler: The function to execute once the max limit is exceeded. It receives the request and the response objects. The “next” param is available if you need to pass to the next middleware. Defaults:
{
if optionsheaders
res;
res
;
}
- onLimitReached: Function to listen each time the limit is reached. You can use it to debug/log. Defaults:
{
/* empty */
}
- store: The storage to use when persisting rate limit attempts. By default, the MemoryStore is used. It must implement the following in order to function:
{
/**
* Increments the value in the underlying store for the given key.
* @method function
* @param
* down from RateLimit.
* @param
* store is finished.
*/
this {
// …
};
/**
* Decrements the value in the underlying store for the given key. Used only when skipFailedRequests is true
* @method function
* @param
* down from RateLimit.
*/
this {
// …
};
/**
* This callback is called by the underlying store when an answer to the
* increment is available.
* @callback Store~incrCallback
* @param
* error occurred.
* @param
*/
/**
* Resets a value with the given key.
* @method function
* @param {[type]} key – The key to reset
*/
this {
// …
};
};
Avaliable data stores are:
- MemoryStore: (default)Simple in-memory option. Does not share state when app has multiple processes or servers.
The delayAfter and delayMs options were written for human-facing pages such as login and password reset forms. For public APIs, setting these to 0 (disabled) and relying on only windowMs and max for rate-limiting usually makes the most sense.
Instance API
- resetKey(key): Resets the rate limiting for a given key. (Allow users to complete a captcha or whatever to reset their rate limit, then call this method.)
v2 changes
v2 uses a less precise but less resource intensive method of tracking hits from a given IP. v2 also adds the limiter.resetKey() API and removes the global: true option.