GuardAPI Logo
GuardAPI

Fix API Rate Limit Exhaustion in Sails

API Rate Limit Exhaustion in Sails.js occurs when endpoints—especially those performing heavy operations like bcrypt hashing or database lookups—lack request throttling. In a default Sails setup, there is no global protection against automated abuse, allowing attackers to trigger DoS conditions or conduct high-speed brute-force attacks. We mitigate this by implementing a policy-based rate limiter using express-rate-limit or rate-limiter-flexible to intercept requests before they hit the controller logic.

The Vulnerable Pattern

// api/controllers/UserController.js
// VULNERABLE: No protection against rapid-fire requests.
module.exports = {
  login: async function (req, res) {
    const user = await User.findOne({ email: req.body.email });
    // Expensive password check (hashing) is exposed to brute-force
    if (!user || !await sails.helpers.passwords.checkPassword(req.body.password, user.password)) {
      return res.forbidden();
    }
    return res.ok({ token: '...' });
  }
};

The Secure Implementation

The fix moves rate limiting into the Sails Policy layer. By defining a policy that uses a sliding window counter (via express-rate-limit), we ensure that the Node.js event loop isn't bogged down by malicious traffic. The policy intercepts the 'req' object, checks the source IP against an in-memory or Redis-backed store, and returns a 429 'Too Many Requests' status before the expensive 'checkPassword' helper or database queries are ever executed. This preserves system resources and thwarts automated credential stuffing.

// api/policies/rateLimit.js
const rateLimit = require('express-rate-limit');
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 10, // Limit each IP to 10 login attempts per window
  standardHeaders: true,
  legacyHeaders: false,
  message: { error: 'Too many attempts. Try again later.' }
});
module.exports = limiter;

// config/policies.js
module.exports.policies = {
‘UserController’: {
‘login’: ‘rateLimit’ // Apply policy to specific sensitive action
}
};

System Alert • ID: 9198
Target: Sails API
Potential Vulnerability

Your Sails API might be exposed to API Rate Limit Exhaustion

74% of Sails apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X