express-rate-limit
Rate limiting middleware for Express.js applications. Limits repeated requests from the same IP address or custom key to protect APIs from abuse, brute force attacks, and DoS. Supports multiple stores (memory, Redis, Postgres) for distributed rate limiting. Sends standard RateLimit headers (RFC 6585) to inform clients of limits.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Requires correct trust proxy configuration to avoid IP spoofing bypass. Memory store not suitable for production clusters. Combine with helmet.js for comprehensive Express security hardening.
⚡ Reliability
Best When
You need quick, straightforward IP-based rate limiting for Express.js APIs without infrastructure overhead.
Avoid When
You need user-tier-based quotas, complex rate limit policies, or DDoS protection at CDN scale.
Use Cases
- • Protect Express API endpoints from brute force attacks with per-IP request limits (e.g., 100 requests/15min)
- • Apply stricter rate limits to auth endpoints (login, password reset) to prevent credential stuffing
- • Use Redis store for distributed rate limiting across multiple Node.js instances behind a load balancer
- • Return standard RateLimit headers so API clients know their remaining quota and reset time
- • Apply different rate limits to different routes (strict for auth, generous for public read endpoints)
Not For
- • Non-Express frameworks — use Fastify's @fastify/rate-limit or Hono's built-in rate limiting for those frameworks
- • Complex rate limiting by user tier or API key quota — use purpose-built API gateways (Kong, Tyk) for sophisticated quota management
- • DDoS protection at scale — use CDN-level rate limiting (Cloudflare, AWS Shield) for high-volume attacks
Interface
Authentication
Middleware library with no auth requirement.
Pricing
Free and open source.
Agent Metadata
Known Gotchas
- ⚠ Default in-memory store is NOT shared across multiple Node.js processes — distributed deployments MUST use a Redis or Postgres store for accurate limits
- ⚠ IP detection behind proxies requires trust proxy setting in Express — without it, all requests appear to come from the proxy IP, causing single-IP rate limiting for all users
- ⚠ Default windowMs is 60000ms (1 minute) — agents should set explicit windowMs and max values rather than relying on defaults which may change
- ⚠ The standardHeaders option controls which RateLimit header format is sent — set to 'draft-7' for the current IETF standard; older clients may expect X-RateLimit-* headers
- ⚠ keyGenerator function defaults to req.ip — customize for API key-based limiting; req.ip may be undefined if trust proxy is not set correctly
- ⚠ Rate limiting middleware must be applied BEFORE route handlers — applying after routes means some requests bypass the limit
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for express-rate-limit.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-07.