express-rate-limit

tests
npm version
npm downloads
license

Basic rate-limiting middleware for Express. Use to
limit repeated requests to public APIs and/or endpoints such as password reset.
Plays nice with
express-slow-down and
ratelimit-header-parser.

Usage

The full documentation is
available on-line.

import { rateLimit } from 'express-rate-limit'

const limiter = rateLimit({
	windowMs: 15 * 60 * 1000, // 15 minutes
	limit: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes).
	standardHeaders: 'draft-8', // draft-6: `RateLimit-*` headers; draft-7 & draft-8: combined `RateLimit` header
	legacyHeaders: false, // Disable the `X-RateLimit-*` headers.
	ipv6Subnet: 56, // Set to 60 or 64 to be less aggressive, or 52 or 48 to be more aggressive
	// store: ... , // Redis, Memcached, etc. See below.
})

// Apply the rate limiting middleware to all requests.
app.use(limiter)

Data Stores

The rate limiter comes with a built-in memory store, and supports a variety of
external data stores.

Configuration

All function options may be async. Click the name for additional info and
default values.

Option Type Remarks
windowMs number How long to remember requests for, in milliseconds.
limit number | function How many requests to allow.
message string | json | function Response to return after limit is reached.
statusCode number HTTP status code after limit is reached (default is 429).
handler function Function to run after limit is reached (overrides message and statusCode settings, if set).
legacyHeaders boolean Enable the X-Rate-Limit header.
standardHeaders 'draft-6' | 'draft-7' | 'draft-8' Enable the Ratelimit header.
identifier string | function Name associated with the quota policy enforced by this rate limiter.
store Store Use a custom store to share hit counts across multiple nodes.
passOnStoreError boolean Allow (true) or block (false, default) traffic if the store becomes unavailable.
keyGenerator function Identify users (defaults to IP address).
ipv6Subnet number (32-64) | function | false How many bits of IPv6 addresses to use in default keyGenerator
requestPropertyName string Add rate limit info to the req object.
skip function Return true to bypass the limiter for the given request.
skipSuccessfulRequests boolean Uncount 1xx/2xx/3xx responses.
skipFailedRequests boolean Uncount 4xx/5xx responses.
requestWasSuccessful function Used by skipSuccessfulRequests and skipFailedRequests.
validate boolean | object Enable or disable built-in validation checks.
logger Logger Custom logger

Thank You

Thanks to Mintlify for hosting the documentation at
express-rate-limit.mintlify.app

Create your docs today

And thank you to everyone who's contributed to this project in any way! 🫶

Issues and Contributing

If you encounter a bug or want to see something added/changed, please go ahead
and
open an issue!
If you need help with something, feel free to
start a discussion!

If you wish to contribute to the library, thanks! First, please read
the contributing guide.
Then you can pick up any issue and fix/implement it!

License

MIT © Nathan Friedly,
Vedant K