Fix Lack of Resources & Rate Limiting in NestJS

Unrestricted endpoints are a direct path to Denial of Service (DoS) and resource exhaustion. In NestJS, the default behavior is to process every request as it arrives, which allows attackers to spam expensive operations like bcrypt hashing or database lookups, eventually killing the event loop. This guide implements the @nestjs/throttler package to enforce strict rate limits and protect the application stack.

The Vulnerable Pattern

@Controller('auth')
export class AuthController {
  @Post('login')
  async login(@Body() credentials) {
    // VULNERABLE: No rate limiting. 
    // An attacker can brute-force this endpoint or exhaust CPU via bcrypt.
    return this.authService.authenticate(credentials);
  }
}

The Secure Implementation

The secure implementation utilizes '@nestjs/throttler' to intercept incoming requests. By defining a global ThrottlerGuard, we ensure all routes have a baseline protection. For high-risk endpoints like '/login', we use the @Throttle decorator to override global settings with stricter constraints (3 requests per 60 seconds). In a production environment, it is critical to use a Redis store (throttler-storage-redis) to maintain state across multiple container instances, preventing attackers from bypassing limits by hitting different load-balanced pods.

// app.module.ts
import { ThrottlerModule, ThrottlerGuard } from '@nestjs/throttler';
import { APP_GUARD } from '@nestjs/core';
@Module({
imports: [
ThrottlerModule.forRoot([{
ttl: 60000,
limit: 10,
}]),
],
providers: [
{
provide: APP_GUARD,
useClass: ThrottlerGuard,
},
],
})
export class AppModule {}
// auth.controller.ts
@Controller(‘auth’)
export class AuthController {
@Throttle({ default: { limit: 3, ttl: 60000 } })
@Post(‘login’)
async login(@Body() credentials) {
// SECURE: Limit to 3 attempts per minute per IP.
return this.authService.authenticate(credentials);
}
}