Quick tip today - if you are building public (REST-)APIs using JavaScript/Node.js/Express you sooner or later have to think about rate-limiting access to your APIs to avoid DoS Attacks.

Facing this challenge as well, i came across two nice express middleware components to help me out:


- Express Rate Limit:
https://www.npmjs.com/package/express-rate-limit
- Express Slow Down:
https://www.npmjs.com/package/express-slow-down

They both can be used together to first slow down repeating IP requests to your APIs and finally blocking them totally after a slowdown. You don't have to use both of them so you can pick and choose what works best for you. Usage is fairly simple, see here for slowdown:


const
slowDown = require("express-slow-down");
 
app
.enable("trust proxy"); // only if you're behind a reverse proxy (Heroku, Bluemix, AWS if you use an ELB, custom Nginx setup, etc)
 
const
speedLimiter = slowDown({
 windowMs
: 15 * 60 * 1000, // 15 minutes
 delayAfter
: 100, // allow 100 requests per 15 minutes, then...
 delayMs
: 500 // begin adding 500ms of delay per request above 100:
 
// request # 101 is delayed by  500ms
 
// request # 102 is delayed by 1000ms
 
// request # 103 is delayed by 1500ms
 
// etc.
});

 
//  apply to all requests

app
.use(speedLimiter);

Not much overhead, right? Me likes.
This is just the simplest way to use them of course, have a look at the documentation for more fine-graned use cases.

Happy coding, stay healthy.


Heiko.
Heiko Voigt   |   13 March 2020 11:02:25   |    domino-db  node.js  express  middleware    |  
  |   Next Document   |   Previous Document

Discussion for this entry is now closed.

Comments (1)

Lars Berntrop-Bos       13.03.2020 23:13:28

Excellent!

There was also a good tip in the presentation by Thilo Volprich about Designing Domino APIs, not in the slides but during the Q & A.

When designing an API, add a random delay when you have to fail. Usually, errors fail really quickly, so for instance when authorization fails, an attacker can try lots of credentials. Rate limiting and inserting delays foils that plan.

I have asked Thilo to check this as it was not my own idea, but thought too good an idea and Best Practice when designing robust APIs to not mention it.