Back to Agent Skills
Security & Quality
API Rate Limiting
Protect APIs from abuse with configurable rate limiting using sliding windows, token buckets, or fixed windows.
Claude Code Cursor Copilot Windsurf Gemini CLI
Overview
express-rate-limit is a basic rate limiting middleware for Express.js that limits repeated requests to public APIs and endpoints. It uses an in-memory store by default but supports external stores like Redis for distributed deployments. The middleware tracks request counts per client (identified by IP address or custom key) within a configurable time window.
The library supports fixed window rate limiting out of the box, where each client gets a set number of requests per time window. For more sophisticated algorithms like sliding windows or token buckets, companion packages like rate-limit-redis and rate-limit-flexible provide advanced store implementations. You can configure different limits for different routes, skip certain requests, and customize the response when limits are exceeded.
Rate limiting is essential for API security, preventing brute force attacks on authentication endpoints, DDoS mitigation, and protecting against scraping. Best practices include setting stricter limits on sensitive endpoints (login, password reset), using progressive delays, and providing rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining) so clients can self-regulate.
The library supports fixed window rate limiting out of the box, where each client gets a set number of requests per time window. For more sophisticated algorithms like sliding windows or token buckets, companion packages like rate-limit-redis and rate-limit-flexible provide advanced store implementations. You can configure different limits for different routes, skip certain requests, and customize the response when limits are exceeded.
Rate limiting is essential for API security, preventing brute force attacks on authentication endpoints, DDoS mitigation, and protecting against scraping. Best practices include setting stricter limits on sensitive endpoints (login, password reset), using progressive delays, and providing rate limit headers (X-RateLimit-Limit, X-RateLimit-Remaining) so clients can self-regulate.
Who Is This For?
- Limit login attempts to prevent brute force attacks
- Throttle public API endpoints per API key
- Set different rate limits for free vs paid API tiers
- Add rate limiting with Redis store for distributed servers
Installation
Setup for Claude Code
npm install express-rate-limitConfiguration
import rateLimit from "express-rate-limit"
const limiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
limit: 100, // max 100 requests per window
standardHeaders: "draft-7",
legacyHeaders: false,
message: { error: "Too many requests, please try again later." },
})
app.use("/api/", limiter)Explore AI Tools
Discover the best AI tools that complement your skills
Read AI & Design Articles
Tips and trends in the world of design and AI
Related Skills
Security & Quality
Snyk Security Scan
Detect vulnerabilities in your dependencies and application code. Get actionable remediation advice and automatic fix pull requests.
Claude Code Codex Copilot
Security & Quality SonarQube Code Quality
Run continuous code quality and security analysis to catch bugs, code smells, and vulnerabilities before they reach production.
Claude Code Codex Copilot
Security & Quality OWASP ZAP Security Testing
Perform automated web application security testing to find common vulnerabilities like XSS, injection flaws, and misconfigurations.
Claude Code Codex