{"id":18329,"library":"express-brute","title":"express-brute","description":"A brute-force protection middleware for Express.js that rate-limits incoming requests using a Fibonacci sequence for increasing delays. Current stable version is 1.0.1. It provides flexible options like freeRetries, minWait, maxWait, lifetime, and custom failure callbacks. The package supports various persistent stores (e.g., Memcached, Redis) via community modules, and includes built-in MemoryStore for development. It is released under the MIT license.","status":"active","version":"1.0.1","language":"javascript","source_language":"en","source_url":"ssh://git@github.com/AdamPflug/express-brute","tags":["javascript","brute","force","bruteforce","attack","fibonacci","rate","limit","security"],"install":[{"cmd":"npm install express-brute","lang":"bash","label":"npm"},{"cmd":"yarn add express-brute","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-brute","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Peer dependency: Express 4.x is required to use the middleware.","package":"express","optional":false}],"imports":[{"note":"express-brute is a CommonJS package; it does not provide ESM exports. Use require() in Node.js.","wrong":"import ExpressBrute from 'express-brute';","symbol":"ExpressBrute","correct":"const ExpressBrute = require('express-brute');"},{"note":"MemoryStore is a property of the ExpressBrute constructor, not a named export.","wrong":"import { MemoryStore } from 'express-brute';","symbol":"ExpressBrute.MemoryStore","correct":"const store = new ExpressBrute.MemoryStore();"},{"note":"FailTooManyRequests is a built-in callback function, not a string. It returns HTTP 429 status.","wrong":"const bruteforce = new ExpressBrute(store, { failCallback: 'FailTooManyRequests' });","symbol":"ExpressBrute.FailTooManyRequests","correct":"const bruteforce = new ExpressBrute(store, { failCallback: ExpressBrute.FailTooManyRequests });"}],"quickstart":{"code":"const express = require('express');\nconst ExpressBrute = require('express-brute');\n\nconst app = express();\nconst store = new ExpressBrute.MemoryStore(); // only for development, use persistent store in production\nconst bruteforce = new ExpressBrute(store, {\n freeRetries: 2,\n minWait: 500, // milliseconds\n maxWait: 15 * 60 * 1000, // 15 minutes\n failCallback: ExpressBrute.FailTooManyRequests\n});\n\napp.post('/auth',\n bruteforce.prevent,\n (req, res) => {\n res.send('Success!');\n }\n);\n\napp.listen(3000);","lang":"javascript","description":"Sets up a basic Express server with express-brute to rate-limit the /auth route, using MemoryStore and a Fibonacci backoff."},"warnings":[{"fix":"Remove proxyDepth option from ExpressBrute constructor and set trust proxy via app.set('trust proxy', ).","message":"proxyDepth option removed in v1.0.0; use app.set('trust proxy', x) instead.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Replace any calls to instance.getIPFromRequest(req) with req.ip.","message":"getIPFromRequest method removed in v1.0.0; use req.ip instead.","severity":"breaking","affected_versions":">=1.0.0"},{"fix":"Upgrade your project to use Express 4.x.","message":"Express 3.x support dropped; peer dependency is express 4.x.","severity":"deprecated","affected_versions":">=1.0.0"},{"fix":"Use a persistent store like express-brute-memcached, express-brute-redis, or express-brute-mongoose.","message":"MemoryStore should not be used in production; it does not persist across server restarts.","severity":"gotcha","affected_versions":"all"},{"fix":"Ensure any code relying on synchronous callback execution is updated to handle async behavior.","message":"In v0.6.0, .reset callbacks are always called asynchronously, even with MemoryStore.","severity":"breaking","affected_versions":">=0.6.0"},{"fix":"Explicitly set failCallback: ExpressBrute.FailTooManyRequests in options for proper rate-limit status code.","message":"Default failCallback is ExpressBrute.FailForbidden which returns 403; consider using FailTooManyRequests for 429.","severity":"gotcha","affected_versions":"all"}],"env_vars":null,"last_verified":"2026-04-25T00:00:00.000Z","next_check":"2026-07-24T00:00:00.000Z","problems":[{"fix":"Run 'npm install express-brute' in your project directory.","cause":"Package not installed or not in node_modules.","error":"Error: Cannot find module 'express-brute'"},{"fix":"Use 'const ExpressBrute = require('express-brute');' then 'new ExpressBrute.MemoryStore();'.","cause":"Importing incorrectly with ES module syntax or destructuring.","error":"TypeError: ExpressBrute.MemoryStore is not a constructor"},{"fix":"Install a persistent store module (e.g., 'npm install express-brute-memcached') and use its store constructor.","cause":"Using MemoryStore in production or missing peer dependencies for your chosen store.","error":"Error: Most persistent stores cannot find the session store."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}