Skip to Content

Add Rate Limiting and Slow‑Down to an Express API for Better Security

22 February 2026 by
Suraj Barman

Rate limiting and slow‑down middleware give an Express web service a built‑in guard that caps request frequency and adds controlled latency, helping keep the server responsive under heavy load.

Prepare the project structure

Start with a fresh Node.js folder, install Express, and expose a simple static page that will be used for testing.

  • Create a directory and run npm init -y to generate a package manifest.
  • Install Express with npm install express.
  • Place an index.html file inside a public folder for the landing page.
  • Write a minimal app.js that serves the static folder and listens on port 3000.
  • Open port 3000 in the firewall using ufw allow 3000.

Integrate rate limiting

Use the rate limiting middleware to reject excessive calls from a single client.

  • Install the package via npm install express-rate-limit.
  • Configure a limiter with a 15‑minute window and a maximum of five requests per IP.
  • Apply the limiter globally with app.use(limiter) before any route handlers.
  • When the limit is exceeded the client receives a 429 status and a friendly message.
  • Read more about practical deployment in the payment‑orchestration guide.

Add slow‑down protection

The slow‑down middleware adds incremental latency instead of outright blocking, smoothing traffic spikes.

  • Install with npm install express-slow-down.
  • Set delayAfter to one request and delayMs to 2000 milliseconds.
  • Register the slow‑down handler before the rate limiter so delays happen first.
  • Each extra request within the window incurs the configured pause, reducing server strain.
  • For a real‑world case study see Cloudflare BYOIP outage analysis.

Test and verify behavior

Confirm that both controls work as expected by making repeated calls to the endpoint.

  • Refresh the page six times; the sixth attempt should return a 429 error from the rate limiter.
  • Observe increasing response times after the first request, indicating the slow‑down effect.
  • Use tools like curl or a browser extension to simulate rapid calls.
  • Check server logs for messages confirming middleware activation.
  • Adjust thresholds based on real traffic patterns to balance usability and protection.