23rd Feb 2022

API Rate Limiting

If the access to the API is unrestricted, anyone (or anything) can use the API as much as they want at any time, potentially preventing legitimate users from using it. A rate limiter will limit the number of events a specific object (person, device, IP, etc.) can perform within a specified window of time. In general, a rate limiter limits the number of requests a sender can send in a given amount of time. When the cap is reached, the rate limiter stops accepting requests. Rate limiting can be viewed as a form of both security and quality control. Rate limiting safeguards your APIs against accidental or malicious overuse by limiting the number of times each user can call the API. Without rate limiting, each user is free to make as many requests as they want, resulting in "spikes" of requests that starve other consumers. Rate limiting, once enabled, can only perform a limited number of requests per second.

What will Rate limiting do?

Avoid resource depletion:

Rate limiting can improve the availability and aid in the prevention of DoS and DDOS attacks.

Control the flow of Information:

For APIs that process massive amounts of data, rate limiting can be used to control the flow of that data. It can allow for the merging of multiple streams into one service or the equally distribution of a single stream to multiple workers.

API Quota Control Between Users:

When an API's capacity is shared among multiple users, rate restriction can (and should) be imposed to individual users' consumption to guarantee fair use while not interfering with other users' access. We can do this by imposing the rate restriction over a specific time period (e.g., per day) or by restricting the quantity of the resource when possible. These allocation constraints are commonly referred to as quotas.

Rate limitation can help guard against a number of bot-based attacks

  • 1. DDoS (distributed denial-of-service) and DoS (denial-of-service) attacks
  • 2. Attempted brute force and credential stuffing
  • 3. Web scraping also known as site scraping.

How Does Rate Limiting System Works:

A rate limiting system monitors the length of time that passes between each request from each IP address, as well as the number of requests that occur within a given window. If there are too many requests from a single IP address within a defined timeframe, the rate limiting solution will refuse to fulfil the IP address's requests for a set period of time.

Now we will see how to apply Rate Limiting to an Api in Node js.

Create a New Node Application

Create a New Directory and navigate to that Directory using the following commands

mkdir APIRateLimiting
cd APIRateLimiting

After Creating the new Directory Use the Following Command to generate a new package.json file which will contain all the required meta data.

npm init

Next open the folder in text-editor of your choice. Here I've used Visual Studio Code.
And create a file named index.js.
In the index.js file we will write a Simple Get Api Call and Use Rate Limiter to Reduce the number of Api call Limit to 5 times with a time period of 1 minutes. Use the following code.

const express = require('express');
  const rateLimit = require("express-rate-limit");
  var app = express();
  const apiRequestLimiter = rateLimit({
      max: 5, //can hit the api only 5 times in a minute
      windowMs: 1 * 60 * 1000, // in ms so, 1 minute -> 1 * 60 * 1000
      message: "You sent too many requests. Please wait for a while then try again"
  app.get('/get', (req, res) => {
      res.send("Hello world");
  app.listen(6000, () => {
      console.log('Server is running at port 6000');

Now we will test our NodeJs application.
Use the following command to run the application

>node index.js

Here we will use Postman to Test our application

After Sending more than 5 requests within the time period of one minute 429 error be sent as response


In this Tutorial we have learned about Rate Limiting and protected our application by adding this middleware.

About Us

VS Online Services : Custom Software Development

VS Online Services has been providing custom software development for clients across the globe for many years – especially custom ERP, custom CRM, Innovative Real Estate Solution, Trading Solution, Integration Projects, Business Analytics and our own hyperlocal e-commerce platform vBuy.in and vsEcom.

We have worked with multiple customers to offer customized solutions for both technical and no technical companies. We work closely with the stake holders and provide the best possible result with 100% successful completion To learn more about VS Online Services Custom Software Development Solutions or our product vsEcom please visit our SaaS page, Web App Page, Mobile App Page to know about the solution provided. Have an idea or requirement for digital transformation? please write to us at siva@vsonlineservices.com

Let's develop your ideas into reality