{"id":17633,"library":"express-rate-limiter","title":"Express.js Rate Limiter","description":"express-rate-limiter is a middleware for Express.js applications designed to control and limit incoming requests based on user IP addresses. It implements a dual-tier rate limiting strategy: an 'inner limit' to prevent rapid-fire requests (hammering) and an 'outer limit' to guard against general overuse. The current stable version is 1.3.1. While the package previously removed external dependencies for its storage mechanism, it now primarily utilizes an in-memory store, with a roadmap item to support pluggable database solutions like Redis. Key differentiators include its configurable dual-limit approach and automatic inclusion of standard X-RateLimit and Retry-After HTTP headers in responses when limits are exceeded. Releases appear somewhat irregular but indicate active maintenance through minor versions.","status":"active","version":"1.3.1","language":"javascript","source_language":"en","source_url":"git://github.com/StevenThuriot/express-rate-limiter","tags":["javascript"],"install":[{"cmd":"npm install express-rate-limiter","lang":"bash","label":"npm"},{"cmd":"yarn add express-rate-limiter","lang":"bash","label":"yarn"},{"cmd":"pnpm add express-rate-limiter","lang":"bash","label":"pnpm"}],"dependencies":[],"imports":[{"note":"The primary `Limiter` class is likely a default export in ESM contexts, but is imported via `require` in CommonJS. The documentation predominantly uses CommonJS syntax.","wrong":"import { Limiter } from 'express-rate-limiter';","symbol":"Limiter","correct":"import Limiter from 'express-rate-limiter';\n// OR (for CommonJS in Node.js)\nconst Limiter = require('express-rate-limiter');"},{"note":"The `MemoryStore` is an internal component provided by the library and is imported from a specific path within the package, not directly from the main entry point.","wrong":"import { MemoryStore } from 'express-rate-limiter';","symbol":"MemoryStore","correct":"import MemoryStore from 'express-rate-limiter/lib/memoryStore';\n// OR (for CommonJS in Node.js)\nconst MemoryStore = require('express-rate-limiter/lib/memoryStore');"},{"note":"The `middleware` method returns the actual Express middleware function. It must be called, even if without arguments, to get the correct function to pass to Express route handlers.","wrong":"app.post('/', limiter(), function(req, res) { ... });","symbol":"limiter.middleware","correct":"app.post('/', limiter.middleware(), function(req, res) { ... });"}],"quickstart":{"code":"import Limiter from 'express-rate-limiter';\nimport MemoryStore from 'express-rate-limiter/lib/memoryStore';\nimport express from 'express';\n\nconst app = express();\n\n// Create a new Limiter instance, specifying the database store\nconst limiter = new Limiter({\n  db: new MemoryStore(),\n  innerLimit: 5,         // Allow 5 calls per 1.5 seconds (default)\n  outerLimit: 100,       // Allow 100 calls per 2 minutes (default)\n  innerTimeLimit: 1500,  // 1.5 seconds\n  outerTimeLimit: 120000 // 2 minutes\n});\n\n// Apply the rate limiter middleware to a specific route\napp.post('/api/data', limiter.middleware({ innerLimit: 10, headers: true }), (req, res) => {\n  res.status(200).send('Data successfully processed.');\n});\n\n// Apply the rate limiter globally\napp.get('/public', limiter.middleware(), (req, res) => {\n  res.status(200).send('Public data accessible.');\n});\n\n// Start the server\nconst PORT = process.env.PORT ?? 3000;\napp.listen(PORT, () => {\n  console.log(`Server running on http://localhost:${PORT}`);\n});","lang":"typescript","description":"This quickstart demonstrates how to set up `express-rate-limiter` with its default `MemoryStore`, applying rate limiting to both specific routes and globally in an Express application, including custom settings per middleware."},"warnings":[{"fix":"Review the `lib/store.js` interface and adapt any custom database implementations. Ensure `new Limiter({ db: new MemoryStore() })` or a custom store adhering to the new interface is passed during initialization.","message":"Version 1.0.0 and 0.8.0 introduced significant refactoring to a plugin-based system for storage and removed `Memory-Cache` as a dependency. Users upgrading from pre-0.8.0 versions relying on the old caching mechanism or custom store implementations will need to update their code to conform to the new `store.js` interface.","severity":"breaking","affected_versions":">=0.8.0"},{"fix":"Always initialize `Limiter` with a database store, for example: `new Limiter({ db : new MemoryStore() })`.","message":"The `Limiter` constructor requires a `db` option to be explicitly provided; it does not have a default value. Failing to provide a database store (e.g., `new MemoryStore()`) will result in runtime errors.","severity":"gotcha","affected_versions":">=0.8.0"},{"fix":"Clients should re-validate their handling of the `Retry-After` header to ensure it correctly interprets the HTTP-compliant value.","message":"In version 0.6.0, the `Retry-After` header's value was fixed to comply with HTTP guidelines. If previous client-side logic relied on the non-compliant value, it might behave differently after upgrading.","severity":"breaking","affected_versions":">=0.6.0"},{"fix":"If `pathLimiter: true`, ensure a consistent `path` is provided either globally or per middleware, or understand that limits will be distinct for each unique request path segment.","message":"The `pathLimiter` option, when enabled, prefixes the IP with a path for rate limiting, but if the `path` option is not explicitly set, the path will be read dynamically from the request. This can lead to unexpected rate limiting behavior if `path` is not consistently defined or if path segments vary.","severity":"gotcha","affected_versions":">=0.7.2"}],"env_vars":null,"last_verified":"2026-04-23T00:00:00.000Z","next_check":"2026-07-22T00:00:00.000Z","problems":[{"fix":"Ensure `var limiter = new Limiter({ db : new MemoryStore() });` is executed before `app.use(limiter.middleware());` or similar calls.","cause":"The `limiter` instance was not properly initialized or is `undefined` when `limiter.middleware()` is called.","error":"TypeError: Cannot read properties of undefined (reading 'middleware')"},{"fix":"Initialize the limiter with a database store, typically `new Limiter({ db: new MemoryStore() });` or your custom store implementation.","cause":"The `Limiter` constructor was called without providing a `db` option.","error":"Error: Missing db store in Limiter options."},{"fix":"For ESM, use `import Limiter from 'express-rate-limiter';`. For CommonJS in Node.js, use `const Limiter = require('express-rate-limiter');`.","cause":"Incorrect import statement for `Limiter` in an ESM context, trying to use named import for a default export, or a CommonJS `require` is used in an ESM-only file.","error":"TypeError: Limiter is not a constructor"}],"ecosystem":"npm","meta_description":null,"install_score":null,"install_tag":null,"quickstart_score":null,"quickstart_tag":null}