Rate Limiting & Throttling

Endpoints that perform expensive operations (like database writes or sending emails) can be easily abused. Rate Limiting ensures fair usage and protects your infrastructure.

1. Why Rate Limit?

• Protect from DoS: Prevent a single script from overwhelming your server.
• Cost Management: If you pay for third-party services per call, you must control usage.
• Fairness: Ensure one heavy user doesn't degrade the experience for others.

2. Implementation (Express Example)

const rateLimit = require('express-rate-limit');

      const apiLimiter = rateLimit({
        windowMs: 15 * 60 * 1000, // 15 minutes
        max: 100, // Limit each IP to 100 requests per window
        message: 'Too many requests from this IP'
      });

      app.use('/api/', apiLimiter);

3. HTTP Response Headers

Standard APIs tell the client how many requests they have left using custom headers.

• X-RateLimit-Limit: Max requests allowed.
• X-RateLimit-Remaining: Requests left in the current window.
• X-RateLimit-Reset: Time until the window resets.

4. Tiered Rate Limiting

Professional APIs often have different tiers: e.g., 60 req/min for free users and 10,000 req/min for premium users based on their API Key.