JAVASCRIPT

Implement API Rate Limiting with Redis for Brute Force Protection

Secure your API endpoints by implementing robust rate limiting using Redis, preventing brute-force attacks and service abuse in Node.js Express applications.

const express = require('express');
const redis = require('redis');
const { RateLimiterRedis } = require('rate-limiter-flexible');

const app = express();
const redisClient = redis.createClient({
  host: 'localhost',
  port: 6379
});

redisClient.on('error', (err) => {
  console.error('Redis Client Error', err);
});

const rateLimiter = new RateLimiterRedis({
  storeClient: redisClient,
  keyPrefix: 'middleware',
  points: 10, // 10 requests
  duration: 1, // per 1 second by IP
  blockDuration: 60 * 5, // Block for 5 minutes if 10 requests in 1 sec
});

const rateLimiterMiddleware = (req, res, next) => {
  rateLimiter.consume(req.ip)
    .then(() => {
      next();
    })
    .catch((rejRes) => {
      // rejRes contains information about remaining points, etc.
      res.status(429).send('Too Many Requests');
    });
};

app.use(rateLimiterMiddleware);

app.get('/', (req, res) => {
  res.send('Hello World!');
});

app.listen(3000, () => {
  console.log('Server running on port 3000');
});
How it works: This snippet demonstrates how to implement application-wide API rate limiting using the `rate-limiter-flexible` library with Redis as the store. It restricts requests based on the client's IP address, allowing 10 requests per second. If the limit is exceeded, the client is blocked for 5 minutes. This effectively prevents brute-force attacks against login forms or excessive resource consumption by malicious users.

Need help integrating this into your project?

Our team of expert developers can help you build your custom application from scratch.

Hire DigitalCodeLabs