Rate limiting is the process of preventing repeated requests to a server in effort to remove spam requests. Typically, a limit is set, such as 200 requests to the server per minute, and any IP address that exceeds that limit will be blocked from making requests for a set period of time.
Rate slowing down is the process of slowing down server responses to an IP that has been sending too many requests. For example, the slow down limit could be set to 200 requests per minute, and an extra 2.5 seconds more response time could be added for each request that exceeds the limit.
Both of these methods of preventing spam requests are common can be an essential feature to the server or API of many projects. In this article, I'll explain how rate limiting and rate slowing can be done with Express.js in Node, and I'll discuss some of the use cases and differences between both of these techniques.
Rate Limiting in Express
- Install the express-rate-limit package
npm install express-rate-limit
yarn add express-rate-limit
- Set a rate limit and use it in an Express app
Rate Slowing Down in Express
- Install the express-slow-down package
npm install express-slow-down
yarn add express-slow-down
- Configure rate slow down and use it in an Express app
Rate Limiting vs Rate Slowing Down
The case for rate limiting: first, rate limiting is generally more common, especially in production. Once an effective rate limit has been chosen, rate limiting is a clear way to block malicious and unwanted requests. Rate limiting is also useful for public APIs. People that offer APIs often provide a rate limit for users without an API key, or users who haven’t paid a fee for a certain number of requests.
The case for rate slowing down: rate slowing down is a more lenient approach on preventing spam requests. It can be more effective in cases where it is not ideal to outright block particular users, or if there are very rare cases where the rate limit could be exceeded, by search engine scrapers and spiders, for example.
Overall, rate limiting is a stricter and more common way to prevent spam requests, whereas rate slowing down provides a more lenient approach.
I hope this article helps in understanding how to implement rate limiting and rate slowing down in Express.js, and what the use cases for both methods are.
Thanks for scrolling.
— Gabriel Romualdo, January 11, 2021