In this tutorial, our goal is to introduce you to the concept of rate limiting and throttling. We aim to provide you with a clear understanding of how these techniques can be implemented to protect your server from being overwhelmed by too many requests.
By the end of this tutorial, you will be able to understand what rate limiting and throttling are, their importance, and how to implement them in your API.
Basic knowledge of HTTP protocols, RESTful APIs, JavaScript, and Node.js is required.
Rate limiting is a technique for limiting network traffic. It sets a limit on how many requests a client can make to an API within a certain time period.
Throttling, on the other hand, is a process that manages the rate of requests. It allows you to control the number of requests a client (or group of clients) can make during a session.
We will be using the Express Rate Limit package for this tutorial. You can install it using npm:
npm install express-rate-limit
// Importing the necessary libraries
const express = require('express');
const rateLimit = require("express-rate-limit");
// Initiating the app
const app = express();
// Applying rate limit to all requests
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 100 // limit each IP to 100 requests per windowMs
});
app.use(limiter);
// A sample route
app.get('/', (req, res) => {
res.send('Welcome to the homepage!');
});
// Starting the server
app.listen(3000);
In this code, we use the express-rate-limit package to limit each IP to 100 requests per 15 minutes. After the limit is reached, the client receives a 429 response.
// Applying different rate limits to different routes
const rateLimit = require("express-rate-limit");
// A limiter for login attempts
const loginLimiter = rateLimit({
windowMs: 60 * 60 * 1000, // 1 hour
max: 5, // limit each IP to 5 requests per windowMs
message: "Too many accounts created from this IP, please try again after an hour"
});
app.post('/login', loginLimiter, (req, res) => {
// login handler
});
In this code, we have a different rate limit for the login route. We limit each IP to 5 login attempts per hour. If exceeded, a custom message is sent to the client.
You should now explore more about different rate-limiting strategies like leaky bucket and token bucket. Also, learn about how to implement rate limiting and throttling at a more granular level, such as per user, per device, etc.
Create a rate limiter that allows only 10 requests per minute for a registration route.
const registerLimiter = rateLimit({
windowMs: 60 * 1000, // 1 minute
max: 10, // limit each IP to 10 requests per windowMs
message: "Too many registration attempts from this IP, please try again after a minute"
});
app.post('/register', registerLimiter, (req, res) => {
// registration handler
});
Implement rate limiting in an existing API. The rate limit should be 500 requests per day.
const dailyLimiter = rateLimit({
windowMs: 24 * 60 * 60 * 1000, // 24 hours
max: 500, // limit each IP to 500 requests per windowMs
message: "You have exceeded the 500 requests in 24 hrs limit!"
});
app.use(dailyLimiter);
This limiter will be applied to all routes in your API. If you want to apply it to specific routes, just add it as a middleware to those routes.