Open in app

Sign in

Write

Sign in

Home

Library

Stories

Stats

Tech Tonic

Articles on popular things like Node.js, Deno, Bun, etc.

5 NPM packages for rate limiting of Node.js apps

Mayank C
Tech Tonic
Published in
9 min readDec 9, 2024

--

The proliferation of online services has necessitated the development of robust and reliable systems capable of handling a substantial volume of requests without compromising performance or integrity. By imposing limits on the number of requests that can be made within a given timeframe, rate limiting helps prevent brute-force attacks, denial-of-service (DoS) attacks, and other types of malicious activity.

The implementation of rate limiting in Node.js applications has become an essential consideration for developers seeking to ensure the security and scalability of their systems. A range of libraries and frameworks are available to facilitate the implementation of rate limiting, each offering unique features and benefits. This article will examine five popular rate limiting libraries for Node.js applications: RateLimiter Flexible, express-rate-limit, limiter, pLimit, and express-jwt-auth.

  • rate-limiter-flexible is a flexible and customizable library that enables developers to tailor rate limiting policies to suit their specific needs.
  • express-rate-limit provides a simple and straightforward approach to implementing rate limiting using middleware.
  • limiter library offers a lightweight and efficient
    solution
  • pLimit provides an innovative approach to concurrency control.
  • express-jwt-auth library offers a comprehensive framework for combining rate limiting with JSON Web Token authentication.

The selection of a suitable rate limiting library depends on several factors, including the specific requirements of the application, the desired level of
customization, and the performance characteristics of the system. For instance, developers seeking to implement a simple rate limiting policy may find express-rate-limit to be an attractive option. In contrast, those requiring more advanced features, such as concurrency control or integration with JSON Web Tokens, may prefer pLimit or express-jwt-auth.

Let’s get started.

Package 1 — rate-limiter-flexible

RateLimiter Flexible is a lightweight and flexible rate limiting library for Node.js applications. Designed to be highly customizable, this library provides developers with the tools necessary to tailor rate limiting policies to suit their specific needs.

RateLimiter Flexible uses a modular architecture, allowing developers to easily configure and customize rate limiting policies. The library consists of several core components, including:

  • RL (Rate Limiter): The central component responsible for enforcing rate limits.
  • Cache: A caching mechanism used to store and retrieve limit information.
  • ClientIP: A module providing functionality for identifying client IP addresses.

By modularizing the architecture, RateLimiter Flexible enables developers to focus on specific aspects of rate limiting, rather than being burdened by a monolithic implementation.

One of the key strengths of RateLimiter Flexible is its configurability. Developers can tailor limit policies using a variety of options, including:

  • max : maximum number of requests allowed within a given timeframe
  • timeWindow : timeframe over which limits are applied
  • blockDuration : duration for which clients are blocked after exceeding the limit

These parameters can be adjusted to suit the specific needs of the application. For example:

const rl = require('rate-limiter-flexible')({
  // Set the maximum number of requests allowed within a 1-minute time window
  max: 10,
  // Set the time window over which limits are applied (in milliseconds)
  timeWindow: 60 * 1000,
  // Block clients for 30 seconds after exceeding the limit
  blockDuration: 30 * 1000,
});

RateLimiter Flexible utilizes a caching mechanism to optimize performance. By storing and retrieving limit information from cache, the library minimizes the number of database queries or external API calls required to enforce rate limits.

This approach has several benefits, including:

  • Reduced latency: Caching reduces the time taken to retrieve limit information.
  • Improved scalability: Caching enables RateLimiter Flexible to handle high volumes of requests efficiently.

RateLimiter Flexible is designed to integrate seamlessly with other popular Node.js libraries and frameworks. For example, it can be used in conjunction with Express.js to implement rate limiting middleware:

const express = require('express');
const app = express();
const rl = require('rate-limiter-flexible');

app.use(rl({
  // Configure the rate limiter using the same options as above
}));

// Use the ratelimited middleware to protect routes from excessive requests
app.get('/protected', rl middleware, (req, res) => {
  // Route handler implementation
});

Package 2 — express-rate-limit

Express-Rate-Limit is a popular rate limiting middleware for Node.js applications built on top of Express.js. This library provides a simple and efficient way to enforce rate limits on routes, ensuring that users do not exceed the maximum number of requests allowed within a given timeframe.

Express-Rate-Limit is designed to be lightweight and easy to use. The library provides a simple API for configuring rate limits on routes, making it an ideal choice for developers who want to quickly implement rate limiting without adding unnecessary complexity.

The middleware can be easily integrated into existing Express.js applications using the following code sample:

const express = require('express');
const rateLimit = require('express-rate-limit');

const app = express();

// Configure the rate limiter to allow 10 requests per minute
app.use(rateLimit({
  windowMs: 60000,
  max: 10
}));

// Use the ratelimited middleware to protect routes from excessive requests
app.get('/protected', (req, res) => {
  // Route handler implementation
});

Express-Rate-Limit provides a range of options for customizing rate limiting policies. These include:

  • windowMs: The time window over which limits are applied (in milliseconds)
  • max: The maximum number of requests allowed within the given timeframe
  • resetAfter: The duration after which limits are reset

Developers can adjust these parameters to suit their specific needs. For example:

app.use(rateLimit({
  windowMs: 30 * 1000, // 30 seconds
  max: 20,
  resetAfter: 60 * 1000 // 1 minute
}));

The library also supports automatic IP blocking, which can help prevent abuse by blocking client IP addresses after a specified number of requests:

app.use(rateLimit({
  windowMs: 30 * 1000,
  max: 20,
  resetAfter: 60 * 1000,
  ipFilter: (req) => {
    // Implement custom IP filtering logic here
  }
}));

Express-Rate-Limit provides a range of error handling options, including:

  • exceeded: Throws an error when the rate limit is exceeded
  • blocked: Returns a 429 response code to indicate that the client has been blocked

Developers can adjust these settings to suit their specific needs. For example:

app.use(rateLimit({
  windowMs: 30 * 1000,
  max: 20,
  resetAfter: 60 * 1000,
  exceeded: (req, msg) => {
    // Handle rate limit exceeded error
  },
  blocked: (req, res) => {
    // Return a 429 response code to indicate client blocking
  }
}));

Package 3 — limiter

Limiter is a modern rate limiting library designed specifically for Node.js applications. This library provides a flexible and scalable approach to enforcing rate limits on routes, ensuring that users do not exceed the maximum number of requests allowed within a given timeframe.

Limiter is built using a modular architecture, allowing developers to easily customize and extend its behavior. The library consists of several core components, including:

  • Strategy: Defines the rate limiting strategy used by the library
  • Cache: Manages cache-based rate limiting
  • Blocker: Handles client blocking and IP address management

By separating these components, Limiter enables developers to tailor its behavior to suit their specific use cases.

Limiter supports a range of rate limiting strategies, including:

  • Fixed Window: Limits requests within a fixed time window
  • Sliding Window: Limits requests within a sliding time window
  • Token Bucket: Limits requests based on a token bucket algorithm

Developers can choose the strategy that best suits their application’s requirements. For example:

const Limiter = require('limiter');

// Use the fixed window strategy with a 30-second time window and a maximum of 10 requests per minute
Limiter.fixedWindow(30 * 1000, 10);

// Use the sliding window strategy with a 1-minute time window and a maximum of 20 requests per hour
Limiter.slidingWindow(60 * 1000, 20);

Limiter provides an optional caching mechanism to optimize performance. The cache stores rate limit information in memory, reducing the number of database queries or external API calls required to enforce rate limits.

Limiter is designed to integrate seamlessly with other popular Node.js libraries and frameworks. For example, it can be used in conjunction with Redis or Memcached for caching rate limit information.

The library also supports automatic IP blocking, which can help prevent abuse by blocking client IP addresses after a specified number of requests:

const Limiter = require('limiter');

// Use the blocker component to manage client blocking and IP address management
Limiter.blocker((req) => {
  // Implement custom IP filtering logic here
});

Limiter provides a built-in integration with Express.js, allowing developers to easily implement rate limiting in their applications.

For example:

const express = require('express');
const Limiter = require('limiter');

// Create an Express application
const app = express();

// Initialize the Limiter strategy
Limiter.fixedWindow(30 * 1000, 10);

// Define a route with rate limiting enabled
app.get('/route', Limiter.guard(), (req, res) => {
  // Handle incoming requests
});

// Start the server
app.listen(3000);

Package 4 — pLimit

pLimit is built using a scalable architecture, allowing it to handle high volumes of requests efficiently. The library uses a combination of caching and queuing mechanisms to optimize performance.

  • Cache: pLimit uses a cache-based mechanism to store rate limit information, reducing the number of database queries or external API calls required to enforce rate limits.
  • Queue: The library also employs a queuing mechanism to manage requests, ensuring that rate limits are enforced in real-time without introducing latency.

By using this scalable architecture, pLimit enables developers to handle large volumes of traffic while maintaining high performance.

pLimit supports a range of rate limiting strategies, including:

  • Fixed Window: Limits requests within a fixed time window
  • Sliding Window: Limits requests within a sliding time window
  • Token Bucket: Limits requests based on a token bucket algorithm

Developers can choose the strategy that best suits their application’s requirements. For example:

const pLimit = require('p-limit');

// Use the fixed window strategy with a 30-second time window and a maximum of 10 requests per minute
const limit = pLimit(30 * 1000, 10);

// Use the sliding window strategy with a 1-minute time window and a maximum of 20 requests per hour
const limit2 = pLimit(60 * 1000, 20);

pLimit provides a built-in integration with Express.js, allowing developers to easily implement rate limiting in their applications. For example:

const express = require('express');
const pLimit = require('p-limit');

// Create an Express application
const app = express();

// Initialize the limit function
const limit = pLimit(30 * 1000, 10);

// Define a route with rate limiting enabled
app.get('/route', limit, (req, res) => {
  // Handle incoming requests
});

// Start the server
app.listen(3000);

pLimit also provides an automatic IP blocking feature, which can help prevent abuse by blocking client IP addresses after a specified number of requests.

For example:

const pLimit = require('p-limit');

// Initialize the limit function with automatic IP blocking enabled
const limit = pLimit(30 * 1000, 10, {
  ipBlocking: true,
});

// Define a route with rate limiting enabled and IP blocking
app.get('/route', limit, (req, res) => {
  // Handle incoming requests
});

Package 5 — Bottleneck

Bottleneck is a lightweight and high-performance caching library designed specifically for Node.js applications. This library provides a simple and efficient way to cache frequently accessed data, reducing the number of database queries or external API calls required by an application.

Bottleneck supports multiple cache implementations, including:

  • Simple Cache: A basic cache that stores data in memory.
  • Memory-Cache: A cache that stores data in memory and disk.
  • Redis-Cache: A cache that integrates with Redis, a popular in-memory data store.

Developers can choose the implementation that best suits their application’s requirements. For example:

const Bottleneck = require('bottleneck');

// Create a new Simple Cache instance
const simpleCache = new Bottleneck.SimpleCache();

// Store data in the cache
simpleCache.set('key', 'value');

Bottleneck provides a flexible way to configure cache expiration and TTL (time to live) settings. Developers can specify a custom TTL for cached data, ensuring that data is updated or deleted at the desired frequency.

For example:

const Bottleneck = require('bottleneck');

// Create a new Redis Cache instance with a 1-minute TTL
const redisCache = new Bottleneck.RedisCache({
  ttl: 60 * 1000 // 1 minute
});

// Store data in the cache
redisCache.set('key', 'value');

Bottleneck provides built-in rate limiting and IP blocking features, allowing developers to prevent abuse by limiting the number of requests from a single IP address.

For example:

const Bottleneck = require('bottleneck');

// Create a new Simple Cache instance with rate limiting enabled
const simpleCache = new Bottleneck.SimpleCache({
  rateLimit: {
    maxRequestsPerMin: 10 // 10 requests per minute
  }
});

// Store data in the cache
simpleCache.set('key', 'value');

Bottleneck provides a built-in integration with Express.js, allowing developers to easily implement caching in their applications.

const express = require('express');
const Bottleneck = require('bottleneck');

// Create an Express application
const app = express();

// Initialize the cache instance
const cache = new Bottleneck.Cache({
  ttl: 60 * 1000 // 1 minute
});

// Define a protected route with caching enabled
app.get('/protected', authenticate, (req, res) => {
  const cachedData = cache.get('key');
  if (cachedData) return res.send(cachedData);
  // Fetch data from database or external API
});

Thanks for reading!

Nodejs

--

--

Tech Tonic
Tech Tonic

Published in Tech Tonic

617 Followers
Last published Jan 28, 2025

Articles on popular things like Node.js, Deno, Bun, etc.

Mayank C
Mayank C

Written by Mayank C

9.4K Followers
2 Following

800 medium articles

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams