Guides/Web Development
Web Development6 min read

How to Add Rate Limiting to a Node.js API

Rate limiting protects your API from abuse, DoS attacks, and runaway clients. This guide covers in-memory rate limiting for single servers and Redis-backed rate limiting for multiple servers.

In this guide

  1. 01Simple Rate Limiting with express-rate-limit
  2. 02Different Limits for Different Endpoints
  3. 03Redis-Backed Rate Limiting for Multiple Servers
  4. 04Return Helpful Rate Limit Headers

Simple Rate Limiting with express-rate-limit

Install: npm install express-rate-limit. Apply globally or to specific routes: import rateLimit from "express-rate-limit"; const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100, standardHeaders: true, legacyHeaders: false, message: { error: "Too many requests, try again in 15 minutes." } }); app.use("/api/", limiter). This limits each IP to 100 requests per 15 minutes. Uses in-memory storage — resets on server restart.

Different Limits for Different Endpoints

Apply stricter limits to sensitive endpoints: const authLimiter = rateLimit({ windowMs: 60 * 60 * 1000, max: 10, message: { error: "Too many login attempts" } }); app.post("/api/login", authLimiter, loginHandler). Contact forms: 3 per hour. Password reset: 5 per hour. Public API: 1000 per hour. Authenticated API: 10,000 per hour. Tailor limits to the sensitivity and cost of each endpoint.

Redis-Backed Rate Limiting for Multiple Servers

In-memory rate limiting breaks when you have multiple server instances — each server has its own counter. Use Redis to share state: npm install rate-limit-redis ioredis. Configure: import { RedisStore } from "rate-limit-redis"; import Redis from "ioredis"; const redis = new Redis(process.env.REDIS_URL); const limiter = rateLimit({ store: new RedisStore({ sendCommand: (...args) => redis.call(...args) }), windowMs: 15 * 60 * 1000, max: 100 }). All servers now share one counter.

Return Helpful Rate Limit Headers

Set standardHeaders: true in express-rate-limit to include RateLimit-Limit (max requests), RateLimit-Remaining (requests left), and RateLimit-Reset (when the window resets) headers in every response. API consumers can read these headers to implement polite backoff — slowing down requests when they are near the limit. This is part of the RFC 6585 standard and reduces support questions from API users.

Need Help?

Want this done for you?

Our engineering team handles implementations like this every week. Get a free scoping call — we will tell you exactly what it takes and what it costs.

Book a free call

More Web Development Guides

How to Add Stripe Payments to a Next.js App

10 min

How to Improve Core Web Vitals in Next.js

9 min

How to Add Authentication to a Next.js App Router App

10 min

All Web Development guides

Strategic Industries

Modular Solutions

Core Stack

Regional Intelligence Hubs

Engineering in New YorkEngineering in Los AngelesEngineering in ChicagoEngineering in HoustonEngineering in MiamiEngineering in TorontoEngineering in VancouverEngineering in LondonView Global Infrastructure →

Competitive Intelligence

vs Toptalvs Accenturevs Freelancers

Efficiency Modeling

Financial Impact Model

Governance

100% Code OwnershipEnterprise Security Protocol

© 2026 NexWorldTech — Built for Global Dominance.

Node Status: OperationalSystem Latency: 42ms