Rate Limiting and Rate Slowing Down in Express.js in 3 Minutes

Originally published here at xtrp.io, my blog about computer science and just about anything programming.

Rate limiting is the process of preventing repeated requests to a server in effort to remove spam requests. Typically, a limit is set, such as 200 requests to the server per minute, and any IP address that exceeds that limit will be blocked from making requests for a set period of time.

Rate slowing down is the process of slowing down server responses to an IP that has been sending too many requests. For example, the slow down limit could be set to 200 requests per minute, and an extra 2.5 seconds more response time could be added for each request that exceeds the limit.

Both of these methods of preventing spam requests are common can be an essential feature to the server or API of many projects. In this article, I'll explain how rate limiting and rate slowing can be done with Express.js in Node, and I'll discuss some of the use cases and differences between both of these techniques.

Rate Limiting in Express

1. Install the express-rate-limit package

npm install express-rate-limit

Or:

yarn add express-rate-limit

1. Set a rate limit and use it in an Express app

constrateLimiter=require("express-rate-limit");app.set("trustproxy",1); // use this line if youre using a proxy (Heroku, DigitalOcean, etc.); so req IPs are the clients IP, not the IP of the proxy service// set a rate limit of 200 reqs/minconstrateLimit=rateLimiter({    max:200 // the rate limit in reqs    windowMs:1*60*1000,// time where limit applies});//use the rate limit in your Express appapp.use(rateLimit);

Rate Slowing Down in Express

1. Install the express-slow-down package

npm install express-slow-down

Or:

yarn add express-slow-down

1. Configure rate slow down and use it in an Express app

constrateSpeedLimiter=require("express-slow-down");app.set("trustproxy",1); // use this line if youre using a proxy (Heroku, DigitalOcean, etc.); so req IPs are the clients IP, not the IP of the proxy service// allow 200 reqs/min, reqs after that are delayed by 2500msconstrateSpeedLimit=rateSpeedLimiter({    delayAfter:200 // slow down limit (in reqs)    windowMs:1*60*1000,// time where limit applies    delayMs: 2500 // slow down time});//use the rate slow down in your Express appapp.use(rateSpeedLimit);

Rate Limiting vs Rate Slowing Down

The case for rate limiting: first, rate limiting is generally more common, especially in production. Once an effective rate limit has been chosen, rate limiting is a clear way to block malicious and unwanted requests. Rate limiting is also useful for public APIs. People that offer APIs often provide a rate limit for users without an API key, or users who havent paid a fee for a certain number of requests.

The case for rate slowing down: rate slowing down is a more lenient approach on preventing spam requests. It can be more effective in cases where it is not ideal to outright block particular users, or if there are very rare cases where the rate limit could be exceeded, by search engine scrapers and spiders, for example.

Overall, rate limiting is a stricter and more common way to prevent spam requests, whereas rate slowing down provides a more lenient approach.

Conclusion

I hope this article helps in understanding how to implement rate limiting and rate slowing down in Express.js, and what the use cases for both methods are.

Thanks for scrolling.

Enjoyed this post? Check out my blog at xtrp.io.

Gabriel Romualdo, January 11, 2021