Rate Limiting

Protect your application against brute force and DDoS (Distributed Denial of Service) attacks by limiting the number of requests a single IP can make within a specific time window.

Global Configuration

Enable rate limiting globally in your server options. This applies the limit to all routes by default.

typescript

import { createServer } from "xypriss";

const server = createServer({
    security: {
        rateLimit: {
            windowMs: 15 * 60 * 1000, // 15 minutes
            max: 100, // Limit each IP to 100 requests per windowMs
            message: "Too many requests from this IP",
            standardHeaders: true, // Return rate limit info in the `RateLimit-*` headers
            legacyHeaders: false, // Disable the `X-RateLimit-*` headers
        },
    },
});

Per-Route Rate Limiting

In XyPriss, per-route rate limiting is enforced natively within the routing definition for maximum efficiency. Please refer to the Advanced Routing Features documentation for the correct implementation details and examples.

Configuration Options

windowMs

The time frame for which requests are checked/remembered. Specified in milliseconds.

max

The maximum number of connections to allow during the windowMs before returning a 429 response.

Security Best Practices

Authentication Endpoints: Always implement stricter rate limits on authentication endpoints (login, password reset) to mitigate brute-force attacks.

Standard Headers: Enable standardHeaders to let clients know their current rate limit status via response headers.
Custom Messages: Use clear, descriptive error messages to inform users when they've been rate limited.

Request Signatures

Verify the authenticity and integrity of incoming requests using cryptographic signatures.