GuardAPI Logo
GuardAPI

Fix Lack of Resources & Rate Limiting in Sails

Sails.js applications are inherently vulnerable to Denial of Service (DoS) and resource exhaustion if the request lifecycle isn't gated. Without rate limiting, attackers can weaponize expensive operations—like Bcrypt hashing or complex Waterline queries—to spike CPU usage and crash the event loop. Real hardening requires intercepting requests at the middleware layer before they hit the controller logic.

The Vulnerable Pattern

// api/controllers/AuthController.js
module.exports = {
  login: async function (req, res) {
    // VULNERABILITY: No throttling on a CPU-intensive operation
    // An attacker can spam this endpoint to exhaust server resources
    var user = await User.findOne({ email: req.body.email });
    if (!user) return res.notFound();

await sails.helpers.passwords.checkPassword(req.body.password, user.password)
  .intercept('incorrect', () => res.badRequest('Invalid credentials'));

return res.ok({ token: '...' });


}
};

The Secure Implementation

The vulnerable code allows an infinite number of login attempts, which involves password hashing—a high-latency, CPU-bound task. The fix involves integrating 'express-rate-limit' directly into the Sails HTTP middleware stack (config/http.js). By placing 'rateLimit' at the top of the middleware order, we drop malicious traffic before it reaches the router or consumes database connections. For production-grade resilience, use a Redis-backed store for the rate limiter to maintain state across multiple app instances.

// config/http.js
const rateLimit = require('express-rate-limit');

module.exports.http = {
middleware: {
order: [
‘rateLimit’,
‘cookieParser’,
‘session’,
‘bodyParser’,
‘compress’,
‘router’,
‘www’,
],


rateLimit: rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs
  message: 'Too many requests from this IP, please try again after 15 minutes',
  standardHeaders: true,
  legacyHeaders: false,
}),


},
};

System Alert • ID: 4985
Target: Sails API
Potential Vulnerability

Your Sails API might be exposed to Lack of Resources & Rate Limiting

74% of Sails apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.

RUN FREE SECURITY DIAGNOSTIC
GuardLabs Engine: ONLINE

Free Tier • No Credit Card • Instant Report

Verified by Ghost Labs Security Team

This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.

About GuardLabs → Follow us on X