Express Production Setup - 2 | Rate Limiting | DDOS

-

 Simple Rate Limiter In Memory 


index.js

    const express = require("express")
    const initRateLimiter = require("./rate-limiter")
    const app = express()

    // add for all route
// app.use(initRateLimiter);
    app.get("/", (req, res) => {
        res.send("hello")
    })
// added only for rate route
    app.get("/rate", initRateLimiter, (req, res) => {
        res.send("ok")
    })


    app.listen(3000, () => console.log("app runnning on port 3000"))

rate-limiter.js

    const { RateLimiterMemory, RateLimiterRedis } = require('rate-limiter-flexible');

    // Configure the rate limiter
    const rateLimiter = new RateLimiterMemory({
        points: 10, // Number of requests
        duration: 10, // Per second
        blockDuration: 10,
    });


    const initRateLimiter = (req, res, next) => {
        rateLimiter.consume(req.ip)
            .then(() => {
                next();
            })
            .catch(() => {
                res.status(429).send('Too Many Requests'); // 429 to many request response code
            });
    }

    module.exports = initRateLimiter;

Using radis 

    const { RateLimiterRedis } = require('rate-limiter-flexible');
    const Redis = require('ioredis');

    // Create a Redis client
    const redisClient = new Redis({
        host: '127.0.0.1', // Redis server host
        port: 6379,        // Redis server port
        password: 'your-redis-password', // If you have a password set for Redis
    });

    // Configure the rate limiter with Redis
    const rateLimiter = new RateLimiterRedis({
        storeClient: redisClient,
        points: 10, // Number of requests
        duration: 10, // Per 10 seconds
        blockDuration: 10, // Block for 10 seconds if limit is exceeded
    });

    // Middleware to apply rate limiting
    const initRateLimiter = (req, res, next) => {
        rateLimiter.consume(req.ip)
            .then(() => {
                next(); // Proceed to the next middleware/route handler
            })
            .catch((rejRes) => {
                if (rejRes.remainingPoints === 0) {
                    // User is blocked, reset their points after blockDuration
                    rateLimiter.penalty(req.ip, 1) // Add a penalty point to block immediately
                        .then(() => {
                            setTimeout(() => {
                                rateLimiter.delete(req.ip); // Reset the rate limiter for this user
                            }, rejRes.msBeforeNext); // Wait for the blocking duration to end
                        });
                }
                res.status(429).send('Too Many Requests'); // 429 Too Many Requests response code
            });
    }

    module.exports = initRateLimiter;

you can add any database using this



Comments

Post a Comment

Popular posts from this blog

Ensuring File Creation in the Current Directory when Converting Python (.py) Script to Executable (.exe).

-
Image
Ensuring File Creation in the Current Directory when Converting Python (.py) Script to Executable (.exe). When you create a file in Python within the current directory, everything works seamlessly. However, if you decide to convert your Python script into a standalone executable (.exe) using tools like PyInstaller, you might encounter a situation where the file is created in a temporary folder, and upon code execution completion, it mysteriously disappears. To overcome this challenge and ensure that your file appears in the current directory, consider using the following code snippet: Explanation: In the above code, we use sys.frozen to check if the script is running in a frozen (compiled into an executable) environment. This is particularly relevant when the script is converted to a standalone executable using tools like PyInstaller. When the script is running as a .py file, myPath is set to the absolute path of the script using os.path.abspath(__file__). When the script is running as...
Read more

Express Production Setup - 4 | HELMET

-
 Helmet helps secure Express apps by setting HTTP response headers. it will remove all header from express app like X-Powered-By : express  we can remove using  express.remove("x-powered-by"); but it's make it easy * also help  XSS attacks index.js      import express from " express ";     import helmet from " helmet ";     const app = express ();     // Use Helmet!     app . use ( helmet ());     app . get (" / ", ( req , res ) => {     res . send (" Hello world! ");     });     app . listen ( 8000 );
Read more

Node Js Private Key And Public Key Encryption and Decryption

-
    const crypto = require (' crypto ');     // Generate RSA key pair for personal decryption     const MyKey = crypto . generateKeyPairSync (' rsa ', {         modulusLength: 2048 ,         publicKeyEncoding: {             type: ' spki ',             format: ' pem '         },         privateKeyEncoding: {             type: ' pkcs8 ',             format: ' pem '         }     });     // Function to encrypt a message using user's public key     function encryptMessage ( message , publicKey ) {         let encryptMsg ;         try {             encryptMsg = crypto . publicEncrypt ( publicKey , Buffer . from ( message )). toString...
Read more