{"id":17619,"library":"express-limiter","title":"Express Limiter","description":"Express Limiter is a middleware for Express applications designed to enforce rate limiting on incoming HTTP requests, built specifically on Redis. It allows developers to configure limits based on various request properties like IP address, user ID, or custom functions. The package provides granular control over rate limiting rules, including total requests, expiration times, whitelisting, and custom handling for rate-limited requests. This package is currently at version 1.6.1, with its last update on npm in September 2017. Due to its age and lack of recent updates, it is largely considered unmaintained, with more modern and actively developed alternatives like `express-rate-limit` being preferred for new projects. It differentiates itself by being tightly coupled with Redis for distributed rate limiting.","status":"abandoned","version":"1.6.1","language":"javascript","source_language":"en","source_url":"git://github.com/ded/express-limiter","tags":["javascript"],"install":[{"cmd":"npm install express-limiter","lang":"bash","label":"npm"},{"cmd":"yarn add express-limiter","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-limiter","lang":"bash","label":"pnpm"}],"dependencies":[{"reason":"Required for storing rate limit counts and expiration data.","package":"redis","optional":false},{"reason":"Middleware designed for Express applications. Functions as a peer dependency.","package":"express","optional":false}],"imports":[{"note":"This package is CommonJS-only and exports a factory function, not a direct middleware.","wrong":"import limiterFactory from 'express-limiter';","symbol":"limiterFactory","correct":"const limiterFactory = require('express-limiter');"},{"note":"The primary export is a factory function that takes an Express app/router and a Redis client to create the actual middleware.","symbol":"limiter","correct":"const limiter = require('express-limiter')(app, client);"},{"note":"The `limiter` function returns middleware that must be called with options. It's not a standalone middleware function directly from the `require` call.","wrong":"app.use(limiter);","symbol":"limiterMiddleware","correct":"app.get('/api/action', limiter({ lookup: 'connection.remoteAddress' }), function (req, res) { /* ... */ });"}],"quickstart":{"code":"const express = require('express');\nconst app = express();\nconst client = require('redis').createClient();\n\n// Basic error logging for redis client\nclient.on('error', (err) => console.error('Redis Client Error', err));\n\nconst limiter = require('express-limiter')(app, client);\n\nlimiter({\n  path: '/api/action',\n  method: 'get',\n  lookup: ['connection.remoteAddress'],\n  total: 150,\n  expire: 1000 * 60 * 60 // 150 requests per hour\n});\n\napp.get('/api/action', function (req, res) {\n  res.status(200).send('ok');\n});\n\n// Start the Express server\nconst PORT = process.env.PORT || 3000;\napp.listen(PORT, () => {\n  console.log(`Express server running on port ${PORT}`);\n});","lang":"javascript","description":"Demonstrates initializing `express-limiter` with an Express app and Redis client, then applying a basic rate limit to a specific route."},"warnings":[{"fix":"Migrate to `express-rate-limit` (npmjs.com/package/express-rate-limit) for active maintenance, security updates, and ESM support.","message":"The `express-limiter` package is considered abandoned, with no significant updates since September 2017. For new projects or actively maintained applications, it is strongly recommended to use modern and actively maintained alternatives like `express-rate-limit`.","severity":"breaking","affected_versions":">=1.6.1"},{"fix":"Ensure a Redis server is running and accessible. Configure the `redis` client correctly before passing it to `express-limiter`. Implement error handling for the Redis client connection.","message":"This library critically depends on a running Redis instance. Failure to connect to Redis will result in `express-limiter` middleware potentially failing or behaving unexpectedly if `ignoreErrors` is not configured.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Configure the `lookup` option to use `headers.x-forwarded-for` (or similar proxy-specific header) and ensure your Express app's `trust proxy` setting is correctly configured (`app.set('trust proxy', true)` or a specific IP/subnet).","message":"When running behind a proxy (e.g., Nginx, cloud load balancers), `connection.remoteAddress` will likely reflect the proxy's IP, not the actual client's. This can lead to global rate limiting for all users through that proxy.","severity":"gotcha","affected_versions":">=1.0.0"},{"fix":"Set `ignoreErrors: true` if you want requests to proceed on Redis errors (e.g., for graceful degradation). Use the `onRateLimited` option to provide custom error responses (e.g., JSON error objects with status 429) instead of the default behavior.","message":"By default, if `ignoreErrors` is `false`, any errors from Redis will prevent the middleware from calling `next()`, potentially stalling requests. The default behavior also sends generic 'Rate limit exceeded' messages.","severity":"gotcha","affected_versions":">=1.0.0"}],"env_vars":null,"last_verified":"2026-04-23T00:00:00.000Z","next_check":"2026-07-22T00:00:00.000Z","problems":[{"fix":"Start your Redis server (e.g., `redis-server`) and verify its configuration. Ensure your application's Redis client is configured with the correct host and port.","cause":"The Redis server is not running or is not accessible at the configured host and port.","error":"Redis connection error: Error: connect ECONNREFUSED 127.0.0.1:6379"},{"fix":"Call the `require('express-limiter')` result with your Express app/router and a Redis client: `const limiter = require('express-limiter')(app, client);`","cause":"Attempting to use `require('express-limiter')` directly as middleware, instead of first calling it with `app` and `client`.","error":"TypeError: require(...) is not a function"},{"fix":"Set `app.set('trust proxy', true)` in your Express application and configure `lookup: 'headers.x-forwarded-for'` in your `limiter` options. Adjust `trust proxy` to a specific IP or subnet if known for better security.","cause":"Incorrect `lookup` configuration when behind a reverse proxy, causing the limiter to use the proxy's IP for all requests.","error":"All requests are being rate-limited globally, not per-user."}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}