express-rate-limit

express-rate-limit is a basic rate-limiting middleware for Express that limits repeated requests to public APIs and endpoints. The middleware tracks the number of requests from each client (identified by IP address by default) within a configurable time window and returns a 429 Too Many Requests response when the limit is exceeded. Rate limiting is essential for protecting APIs from abuse, brute-force attacks, denial-of-service attempts, and preventing excessive resource consumption. The middleware is configurable with windowMs (time window in milliseconds), max (maximum requests per window), message (custom response for rate-limited requests), standardHeaders (RateLimit-* response headers), and keyGenerator (custom client identification logic). By default, express-rate-limit uses an in-memory store that tracks request counts per IP, but for multi-instance deployments, external stores like rate-limit-redis, rate-limit-memcached, or rate-limit-mongo provide shared rate limiting across application instances. The middleware can be applied globally to all routes or selectively to specific endpoints like login or API routes. express-rate-limit is often used alongside helmet and cors as part of a standard Express security middleware stack.