GuardAPI Logo
GuardAPI

Fix Lack of Resources & Rate Limiting in Express

Unrestricted endpoints are a direct path to Denial of Service (DoS) and automated brute-force. Without rate limiting, an attacker can saturate the Node.js event loop, exhaust memory, or deplete database connection pools. In Express, the lack of resource constraints allows a single client to monopolize the server, leading to total service unavailability.

The Vulnerable Pattern

const express = require('express');
const app = express();

// VULNERABLE: No rate limiting or payload size constraints
app.use(express.json());


app.post(‘/api/auth/login’, (req, res) => {
// An attacker can spam this endpoint 10,000 times/sec
// to brute-force credentials or crash the DB
const { username, password } = req.body;
res.status(200).send(‘Authentication processed’);
});


app.listen(3000);

The Secure Implementation

The mitigation strategy involves two layers: throttling and resource capping. First, we use 'express-rate-limit' to enforce a request quota per IP address, specifically targeting high-value endpoints like authentication. Second, we constrain the 'express.json' middleware with a 'limit' property; this prevents attackers from sending massive JSON payloads that could cause buffer overflows or heap exhaustion. For distributed environments, the default in-memory store should be replaced with a Redis store to ensure rate limits are synchronized across multiple server instances.

const express = require('express');
const rateLimit = require('express-rate-limit');
const app = express();

// SECURE: Limit payload size to prevent memory exhaustion
app.use(express.json({ limit: ‘10kb’ }));


// SECURE: Define rate limiting middleware
const loginLimiter = rateLimit({
windowMs: 15 * 60 * 1000, // 15 minutes
max: 5, // Limit each IP to 5 login requests per window
message: ‘Too many login attempts, please try again after 15 minutes’,
standardHeaders: true, // Return rate limit info in the RateLimit-* headers
legacyHeaders: false, // Disable the X-RateLimit-* headers
});


// Apply to sensitive routes
app.use(‘/api/auth/login’, loginLimiter);


app.post(‘/api/auth/login’, (req, res) => {
res.status(200).send(‘Authentication processed’);
});


app.listen(3000);

System Alert • ID: 2644
Target: Express API
Potential Vulnerability

Your Express API might be exposed to Lack of Resources & Rate Limiting

74% of Express apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X