Fix API Rate Limit Exhaustion in Qwik
API Rate Limit Exhaustion in Qwik occurs when server-side entry points, specifically routeActions and routeLoaders, lack request throttling. In Qwik's execution model, these functions run on the server/edge, making them primary targets for automated abuse. Attackers can flood these endpoints to deplete upstream API quotas, inflate cloud costs, or trigger a Denial of Service (DoS) by saturating server resources.
The Vulnerable Pattern
import { routeAction$ } from '@builder.io/qwik-city';
// VULNERABLE: This action can be invoked repeatedly without restriction. export const useSubmitFeedback = routeAction$(async (data) => { const response = await fetch(‘https://expensive-internal-api.com/v1/feedback’, { method: ‘POST’, headers: { ‘Authorization’:Bearer ${process.env.API_KEY}}, body: JSON.stringify(data), }); return response.json(); });
The Secure Implementation
The secure implementation integrates a sliding window rate-limiting strategy using an atomic data store (Redis). Before executing the expensive fetch operation, the code identifies the client via their IP address and checks the current request count. If the threshold (5 requests per 60 seconds) is exceeded, the action immediately terminates and returns a 429 'Too Many Requests' status using Qwik's 'fail' utility. This prevents the backend from processing unauthorized load and protects upstream API keys from being exhausted by malicious actors.
import { routeAction$, fail } from '@builder.io/qwik-city'; import { Ratelimit } from '@upstash/ratelimit'; import { Redis } from '@upstash/redis';// Initialize rate limiter (Redis-backed for edge compatibility) const ratelimit = new Ratelimit({ redis: Redis.fromEnv(), limiter: Ratelimit.slidingWindow(5, ‘60 s’), });
export const useSubmitFeedback = routeAction$(async (data, { request }) => { // Identify user via IP or Session const identifier = request.headers.get(‘x-forwarded-for’) || ‘anonymous’; const { success, limit, reset, remaining } = await ratelimit.limit(identifier);
if (!success) { return fail(429, { message: ‘Rate limit exceeded. Try again later.’, retryAfter: reset, }); }
const response = await fetch(‘https://expensive-internal-api.com/v1/feedback’, { method: ‘POST’, headers: { ‘Authorization’:
Bearer ${process.env.API_KEY}}, body: JSON.stringify(data), });
return response.json(); });
Your Qwik API
might be exposed to API Rate Limit Exhaustion
74% of Qwik apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.