Rate Limit
The Rate limit policy allows you to control the rate at which requests to your Server can be made, preventing abuse and ensuring fair use of resources.
Options
rateLimitBy
Determines what method to use for rate limiting.
"ip"
: rate limit based on the client's IP address."jwt"
: rate limit based on the provided JWT token. It uses thesub
claim as the identifier."apiKey"
: rate limit based on the provided API key in thex-api-key
header.
Default: "ip"
.
Important: When selecting either the jwt or apiKey options, ensure that you have also set up the corresponding jwt or apiKey policies, respectively, to prevent any unexpected issues.
windowMs
Time frame for which requests are checked/remembered in milliseconds.
Number
: time in milliseconds.
Default: 60000
(1 minute).
limit
The maximum number of requests allowed during the windowMs
before rate limiting the client.
Number
: the limit value.
Default: 5
.
message
The response message sent back when a client is rate limited.
String
: the message content.
Default: "Too many requests, please try again later."
.
statusCode
The HTTP status code sent back when a client is rate limited.
Number
: the status code.
Default: 429
.
legacyHeaders
Whether to send legacy rate limit headers (X-RateLimit-Limit
, X-RateLimit-Remaining
, X-RateLimit-Reset
) on all responses. If set to true
, the Retry-After
header will also be sent on all blocked requests.
Boolean
:true
to enable,false
to disable.
Default: false
.
standardHeaders
Whether to enable support for headers conforming to the RateLimit header fields for HTTP standardization draft adopted by the IETF.
-
"draft-6"
: enable support for draft-6 headers. (i.e.RateLimit-Policy
,RateLimit-Limit
,RateLimit-Remaining
,RateLimit-Reset
). -
"draft-7"
: enable support for draft-7 headers. (i.e. a singleRateLimit
header containing limit, remaining, and reset values). -
true
: enable support for draft-6 headers.
If set to any truthy value, the Retry-After
header will also be sent on all blocked requests.
Default: "draft-6"
.
skipFailedRequests
When set to true, failed requests won’t be counted.
Boolean
:true
to skip counting,false
to count.
Default: false
.
skipSuccessfulRequests
When set to true, successful requests won’t be counted.
Boolean
:true
to skip counting,false
to count.
Default: false
.
Usage
policyDefinitions:
rateLimit:
windowMs: 300000
limit: 100
message: "You have exceeded the 100 requests in 5 minutes limit!"
endpoints:
- path: "/todos"
target:
url: "https://jsonplaceholder.typicode.com/todos"
policies:
- rateLimit
Powered by express-rate-limit