Fix Lack of Resources & Rate Limiting in Feathers
FeathersJS services are lightweight but dangerously exposed by default. A lack of rate limiting allows for trivial Denial of Service (DoS) via brute-force or resource-heavy queries. To secure a Feathers app, you must throttle the transport layer and enforce strict pagination on the service layer to prevent memory exhaustion and DB locking.
The Vulnerable Pattern
const feathers = require('@feathersjs/feathers'); const express = require('@feathersjs/express'); const app = express(feathers());
// VULNERABLE: No rate limiting and no pagination limits app.use(‘/messages’, { async find(params) { // Attacker can pass $limit=1000000 in the query string // This triggers massive DB reads and memory spikes return someDb.find(params.query); }, async create(data) { // Attacker can spam this endpoint to fill storage return someDb.insert(data); } });
The Secure Implementation
The mitigation strategy is defense-in-depth. First, we use 'express-rate-limit' at the transport layer to drop high-velocity traffic before it touches Feathers logic. Second, we define 'paginate.max' in the service configuration; this is the internal Feathers mechanism to prevent 'find' calls from returning unbounded result sets. Finally, we use a 'before' hook as a fail-safe to sanitize the '$limit' query parameter, ensuring that even manipulated client requests cannot override server-side resource constraints.
const rateLimit = require('express-rate-limit'); const { express: feathersExpress } = require('@feathersjs/express');const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes max: 100, // limit each IP to 100 requests per window standardHeaders: true, legacyHeaders: false });
const app = feathersExpress(feathers());
// 1. Apply Rate Limiting Middleware app.use(‘/messages’, limiter);
// 2. Enforce Service-Level Pagination app.use(‘/messages’, { async find(params) { /* … */ }, // Service options with hard caps paginate: { default: 10, max: 50 } });
// 3. Hook-based query protection app.service(‘messages’).hooks({ before: { find: [(context) => { if (context.params.query && context.params.query.$limit) { const limit = parseInt(context.params.query.$limit); if (limit > 50) context.params.query.$limit = 50; } }] } });
Your Feathers API
might be exposed to Lack of Resources & Rate Limiting
74% of Feathers apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.