Express Limiter

1.6.1 verified Thu Apr 23 auth: no javascript abandoned

Express Limiter is a middleware for Express applications designed to enforce rate limiting on incoming HTTP requests, built specifically on Redis. It allows developers to configure limits based on various request properties like IP address, user ID, or custom functions. The package provides granular control over rate limiting rules, including total requests, expiration times, whitelisting, and custom handling for rate-limited requests. This package is currently at version 1.6.1, with its last update on npm in September 2017. Due to its age and lack of recent updates, it is largely considered unmaintained, with more modern and actively developed alternatives like `express-rate-limit` being preferred for new projects. It differentiates itself by being tightly coupled with Redis for distributed rate limiting.

Common errors

error Redis connection error: Error: connect ECONNREFUSED 127.0.0.1:6379 ↓

cause The Redis server is not running or is not accessible at the configured host and port.

fix

Start your Redis server (e.g., redis-server) and verify its configuration. Ensure your application's Redis client is configured with the correct host and port.

error TypeError: require(...) is not a function ↓

cause Attempting to use `require('express-limiter')` directly as middleware, instead of first calling it with `app` and `client`.

fix

Call the require('express-limiter') result with your Express app/router and a Redis client: const limiter = require('express-limiter')(app, client);

error All requests are being rate-limited globally, not per-user. ↓

cause Incorrect `lookup` configuration when behind a reverse proxy, causing the limiter to use the proxy's IP for all requests.

fix

Set app.set('trust proxy', true) in your Express application and configure lookup: 'headers.x-forwarded-for' in your limiter options. Adjust trust proxy to a specific IP or subnet if known for better security.

Warnings

breaking The `express-limiter` package is considered abandoned, with no significant updates since September 2017. For new projects or actively maintained applications, it is strongly recommended to use modern and actively maintained alternatives like `express-rate-limit`. ↓

fix Migrate to `express-rate-limit` (npmjs.com/package/express-rate-limit) for active maintenance, security updates, and ESM support.

gotcha This library critically depends on a running Redis instance. Failure to connect to Redis will result in `express-limiter` middleware potentially failing or behaving unexpectedly if `ignoreErrors` is not configured. ↓

fix Ensure a Redis server is running and accessible. Configure the `redis` client correctly before passing it to `express-limiter`. Implement error handling for the Redis client connection.

gotcha When running behind a proxy (e.g., Nginx, cloud load balancers), `connection.remoteAddress` will likely reflect the proxy's IP, not the actual client's. This can lead to global rate limiting for all users through that proxy. ↓

fix Configure the `lookup` option to use `headers.x-forwarded-for` (or similar proxy-specific header) and ensure your Express app's `trust proxy` setting is correctly configured (`app.set('trust proxy', true)` or a specific IP/subnet).

gotcha By default, if `ignoreErrors` is `false`, any errors from Redis will prevent the middleware from calling `next()`, potentially stalling requests. The default behavior also sends generic 'Rate limit exceeded' messages. ↓

fix Set `ignoreErrors: true` if you want requests to proceed on Redis errors (e.g., for graceful degradation). Use the `onRateLimited` option to provide custom error responses (e.g., JSON error objects with status 429) instead of the default behavior.

Install

npm install express-limiter

yarn add express-limiter

pnpm add express-limiter

Imports

limiterFactory
wrong
```
import limiterFactory from 'express-limiter';
```
correct
```
const limiterFactory = require('express-limiter');
```
This package is CommonJS-only and exports a factory function, not a direct middleware.
limiter
```
const limiter = require('express-limiter')(app, client);
```
The primary export is a factory function that takes an Express app/router and a Redis client to create the actual middleware.
limiterMiddleware
wrong
```
app.use(limiter);
```
correct
```
app.get('/api/action', limiter({ lookup: 'connection.remoteAddress' }), function (req, res) { /* ... */ });
```
The `limiter` function returns middleware that must be called with options. It's not a standalone middleware function directly from the `require` call.

Quickstart

Demonstrates initializing `express-limiter` with an Express app and Redis client, then applying a basic rate limit to a specific route.

const express = require('express');
const app = express();
const client = require('redis').createClient();

// Basic error logging for redis client
client.on('error', (err) => console.error('Redis Client Error', err));

const limiter = require('express-limiter')(app, client);

limiter({
  path: '/api/action',
  method: 'get',
  lookup: ['connection.remoteAddress'],
  total: 150,
  expire: 1000 * 60 * 60 // 150 requests per hour
});

app.get('/api/action', function (req, res) {
  res.status(200).send('ok');
});

// Start the Express server
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
  console.log(`Express server running on port ${PORT}`);
});