Kelvin's Blog

Rate Limiting: A guide to improving performance and security in backend development

Rate Limiting: A guide to improving performance and security in backend development

kelvin Onyenankie's photo
kelvin Onyenankie
·

4 min read

Rate limiting is a powerful technique for improving the security and performance of your server or API.

In this article, we will discuss what rate limiting is, the importance of rate limiting, and also learn how to implement rate limiting in Node.js.

What is Rate Limiting?

Rate limiting is a technique for controlling the number of user requests to a server or an API within a given time frame.

For example, if the rate limit of an API is 50 requests per minute. The user can only make 50 requests per minute, and if the user exceeds this limit, the API will send an error message or block all further requests for a given time frame.

Rate limiting improves performance by ensuring that the requests the user makes to the server are not overwhelming, which reduces the performance.

Implementing the rate limiter is crucial for the security of your web applications. Without a rate limiter, your web applications are vulnerable to DDoS attacks and brute-force attacks.

DDoS Attacks

The Distributed Denial of Service(DDoS) attack targets the endpoints of an API.

Attackers flood endpoints with numerous requests to overwhelm the server and bring down the application.

For example, in a signup endpoint without a rate limiter. An attacker can flood the endpoint with numerous requests to overwhelm the server and make the endpoint inaccessible to other users.

So, by implementing the rate limiter, you can control the number of requests a particular IP address can send within a given time frame, preventing the attacker from overwhelming our server.

Brute-force Attacks

The Brute-force attack is when the attacker systematically tries multiple passcodes until he finds the correct one and gains access to an application.

For example, in a 2 Factor Authentication(FA) endpoint without a rate limiter. An attacker can guess the passcode of a user by trying numerous combinations. Therefore effectively overwhelming the server, reducing performance, and potentially finding the correct passcode.

So, by implementing the rate limiter, we can control the number of requests a particular IP address can send within a given time frame, effectively reducing the attacker’s ability to guess the correct passcode and preventing him from overwhelming our server.

Implementing the rate limiter in Node.js

To implement the rate limiter, we will use a straightforward algorithm known as the sliding window counter.

Also, we will use a third-party library. The Express Rate Limiter is an npm package that allows us to perform basic rate limiting. To use this package, you have to install it by typing the following command into your terminal:

npm i express-rate-limit

Next, proceed to the main file of your project (this is typically the app.js or server.js file), and at the top of the file and import the express rate limiter package by typing:

import rateLimit from 'express-rate-limit';

Next, you need a rate limiting middleware still in your main file.

Copy and paste the following codes:

// Limit requests from same API

const limiter = rateLimit({
  max: 100,
  windowMs: 60 * 60 * 1000,
  message: 'Too many requests from this IP, please try again in an hour!'
});

app.use('/api', limiter);

In the code snippet, we imported the npm package into the project. Using the express rate limiter package, we create a middleware that enforces rate limiting based on the options we have passed in, including the following:

  • windowMs, the window size (1 minute in our case) in milliseconds, that is, the time given for a number of requests

  • max, which represents the number of allowed requests per window per user

  • message, which specifies the response message users get when they have exceeded the allowed limit

Voilà!. We just created a rate limiter that allows users to make 100 requests per minute, and if the user exceeds this limit, he will get an error message.

Pretty simple, isn’t it?

Conclusion

In this article, you have learned what rate limiting is, the importance of rate limiting, and also learn how to implement rate limiting in Node.js using a simple third-party library that makes our work easier.

I hope you had fun doing this with me. Please follow me on Twitter to see more content like this. Thank you.

backendJavaScriptNode.jsSecurityBeginner Developers