What's the best way to limit spamming an API route in Express?

Question

I have a web application that runs Node.js/Express and I've done some searching and I've come up short.

Basically I have a web app where you can post the usual, comments, ratings, etc. This is all fine, but if somebody uses something like Postman (with their login credentials) they could fire 100/1000s of comments by just clicking POST on Postman.

What's the best way to handle this? Should I just rate limit the user actions server side (comments/ratings after X amount & time) or is there a better way?

Ideally I'd like to take off being able to use software like Postman to submit anything--I want it all through the website but I'm not sure if this is possible because it's a route?

Any advice is greatly appreciated!

Answer 1

I use hpp npm package (Express middleware to protect against HTTP Parameter Pollution attacks) to limit call rate https://www.npmjs.com/package/hpp

Answer 2

Unless this is actively a problem that you are encountering, I would, as general advice, suggest that your time is better spent elsewhere. YAGNI, as they say.

On your actual issue, handling overload attacks has lots of different alternative measures. The easiest option would be if the API you are developing requires authentication - if so, you can apply a per-account rate limit. For instance, 100 requests per minute per user.

You can do that using something like express-rate-limit.

If you are worried about actual large scale denial of service attacks, mitigation these days needs to happen long before requests reach your application server tier.

Businesses like CloudFlare and Akamai provide this as a service, where you configure your domain to go to their DDoS-capable infrastructure, and they will then forward vetted traffic to your Express server.