23rd Feb 2022
API Rate Limiting
Still, anyone( or anything) can use the API as much as they want at any time, potentially precluding licit druggies from using it, If the access to the API is unrestricted. A rate limiter will limit the number of events a specific object ( person, device, IP,etc.) can perform within a specified window of time. In general, a rate limiter limits the number of requests a sender can send in a given amount of time. The rate limiter stops taking requests when the cap is reached. Rate limiting can be viewed as a form of both security and quality control. Rate limiting safeguards your APIs against accidental or malicious overuse by limiting the number of times each user can call the API. Without rate limiting, each user is free to make as many requests as they want, resulting in "spikes" of requests that starve other consumers. Rate limiting, formerly enabled, can only perform a limited number of requests per second.
What will Rate limiting do?
- Avoid resource depletion: Rate limiting can ameliorate the vacuity and aid in the forestallment of DoS and DDOS attacks.
- Control the flow of Information: For APIs that reuse massive quantities of data, rate limiting can be used to control the inflow of that data. It can allow for the merging of multiple streams into one service or the equally distribution of a single stream to multiple workers.
- API Quota Control Between Users: When an API's capacity is shared among multiple users, rate restriction can (and should) be imposed to individual users' consumption to guarantee fair use while not interfering with other users' access.We can do this by assessing the rate restriction over a specific time period(e.g., per day) or by confining the volume of the resource when possible. These allocation constraints are commonly referred to as quotas.
- API Quota Control Between Users: When an API's capacity is shared among multiple users, rate restriction can (and should) be imposed to individual users' consumption to guarantee fair use while not interfering with other users' access.We can do this by assessing the rate restriction over a specific time period(e.g., per day) or by confining the volume of the resource when possible. These allocation constraints are commonly referred to as quotas.
Rate limitation can help guard against a number of bot-based attacks
- DDoS (distributed denial-of-service) and DoS (denial-of-service) attacks
- Attempted brute force and credential stuffing.
- Web scraping also known as site scraping.
How Does Rate Limiting System Works
A rate limiting system monitors the length of time that passes between each request from each IP address, as well as the number of requests that occur within a given window. If there are too many requests from a single IP address within a defined timeframe, the rate limiting solution will refuse to fulfil the IP address's requests for a set period of time.
We'll now look at how to use Rate Limiting with a Node.js API.
Create a New Node Application
Create a New Directory and navigate to that Directory using the following commands
mkdir APIRateLimiting
cd APIRateLimiting
After Creating the new Directory Use the Following Command to generate a new package.json file which will contain all the required meta data.
npm init
Next open the folder in text-editor of your choice. Here I've used Visual Studio Code.
And create a file named index.js.
In the index.js file we will write a Simple Get Api Call and Use Rate Limiter to Reduce the number of Api call Limit to 5 times with a time period of 1 minutes.Use the following code.
const express = require('express');
const rateLimit = require("express-rate-limit");
var app = express();
const apiRequestLimiter = rateLimit({
max: 5, //can hit the api only 5 times in a minute
windowMs: 1 * 60 * 1000, // in ms so, 1 minute -> 1 * 60 * 1000
message: "You sent too many requests. Please wait for a while then try again"
});
app.use(apiRequestLimiter);
app.get('/get', (req, res) => {
res.send("Hello world");
});
app.listen(6000, () => {
console.log('Server is running at port 6000');
});
Now we will test our NodeJs application.
Use the following command to run the application
>node index.js
Here we will use Postman to Test our application
After Sending more than 5 requests within the time period of one minute 429 error be sent as response
Conclusion
In this Tutorial we have learned about Rate Limiting and protected our application by adding this middleware.
About Us
- VS Online Services : Custom Software Development
VS Online Services has been providing custom software development for clients across the globe for many years – especially custom ERP, custom CRM, Innovative Real Estate Solution, Trading Solution, Integration Projects, Business Analytics and our own hyperlocal e-commerce platform vBuy.in and vsEcom.
We have worked with multiple customers to offer customized solutions for both technical and no technical companies. We work closely with the stake holders and provide the best possible result with 100% successful completion To learn more about VS Online Services Custom Software Development Solutions or our product vsEcom please visit our SaaS page, Web App Page, Mobile App Page to know about the solution provided. Have an idea or requirement for digital transformation? please write to us at siva@vsonlineservices.com