Reputation: 5150
Nodejs Express, How to rate limit each user of my website when calling my API?
I have cors installed and only my website is whitelisted, how reliable is this? Can bad actors still call my api if they are not calling it from my website?
Next I want to rate limit each user on my website, (the users are not registered or signed in),
I want to restrict each user to make no more than 1 request per second.
How can each user be identified? and then how can each user be limited?
Upvotes: 1
Views: 338
Answers (1)
Reputation: 707178
Too many separate questions packaged together here. I'll tackle the ones I can:
I have cors installed and only my website is whitelisted, how reliable is this? Can bad actors still call my api if they are not calling it from my website?
CORS only works with cooperating clients. That means browsers. Your API can be used by anybody else with a scripting tool or any programming language or even a tool like CURL. So, CORS does not prevent bad actors at all. The only thing it prevents is people embedding calls to your API in their own web page Javascript. It doesn't prevent anyone from accessing your API programmatically from whatever tool they want. And, they could even use your API in their own web-site via a proxy. It's not much protection.
How can each user be identified? and then how can each user be limited?
Rate limiting works best when there's an authentication credential with each request because that allows you to uniquely identify each request and/or ban or delay credentials that misbehave. If there are no credentials, you can try to cookie them to track a given user, but cookies can be blocked or thrown away even in browsers to defeat that. So, without any sort of auth credential, you're stuck with just the requesting IP address. For some users (like home users), that's probably sufficient. But, for corporate users, many, many users may present as the same corporate IP address (due to how their NAT or proxy works), thus you can't tell one user at a major company from another purely by IP address. If you had a lot of users from one company simultaneously using the site, you could falsely trigger rate limiting.
Upvotes: 1
Related Questions
- is there a way to use different rate limit for each api key in express nodejs?
- Can I use api rate limiter by passing it in router.use() in express?
- Limiting user requests to a specefic url NODEJS server
- Node.js level(api key) based rate limit
- node.js limit number of requests from a user
- Restrict API endpoint by total requests of each user
- Node js Rate Limit
- express - Limit a request to one at a time
- In expressjs how would I limit the number of users who can make a request at the same time?
- Rate limiting to prevent malicious behavior in ExpressJS