Fix API Rate Limit Exhaustion in Fastify

API rate limit exhaustion is a critical vulnerability that allows attackers to perform Denial of Service (DoS) attacks or brute-force sensitive endpoints. In Fastify, the default behavior is to process every incoming request as fast as the event loop allows. Without a throttling layer, your application logic and database are sitting ducks for resource depletion.

The Vulnerable Pattern

const fastify = require('fastify')({ logger: true });
// VULNERABLE: No rate limiting implemented.
// An attacker can flood this endpoint to exhaust CPU/Memory or DB connections.
fastify.get(‘/api/resource’, async (request, reply) => {
const data = await someExpensiveDatabaseQuery();
return { data };
});
fastify.listen({ port: 3000 });

The Secure Implementation

The secure implementation utilizes the '@fastify/rate-limit' plugin to intercept requests before they hit the route handler. It tracks the request count per IP address (by default) within a sliding window. Once the 'max' threshold is reached, the plugin automatically returns a 429 (Too Many Requests) status code, preventing the expensive route logic from executing. In high-traffic production environments, it is recommended to use the 'redis' option for the 'store' parameter to ensure rate limits are synchronized across multiple application instances.

const fastify = require('fastify')({ logger: true });
// SECURE: Implement @fastify/rate-limit
fastify.register(require(‘@fastify/rate-limit’), {
max: 100, // Limit each IP to 100 requests per timeWindow
timeWindow: ‘1 minute’,
cache: 5000, // Store up to 5000 distinct IPs in memory
errorResponseBuilder: (req, context) => ({
statusCode: 429,
error: ‘Too Many Requests’,
message: Rate limit exceeded. Try again in ${context.after}.
})
});
fastify.get(‘/api/resource’, async (request, reply) => {
return { data: ‘protected’ };
});
fastify.listen({ port: 3000 });