Facebook Pixel

What status code should rate-limited requests return?

429 Too Many Requests. Include a Retry-After header so clients know how long to wait. express-rate-limit sets this automatically when standardHeaders: true.

Verify This Answer

Cross-check this information using these trusted sources:

More FAQs in API Rate Limiting and Throttling in Express

Use express-rate-limit. Add a global limiter (100 req per 15 min per IP) and stricter limiters on auth routes (5 per 15 min). Return 429 with a Retry-After header. Use a Redis store for distributed setups so limits work across instances.

To prevent brute-force password attacks. A global limit of 100 per 15 min is too loose for login; an attacker can try many passwords. A 5-per-15-min limit on login stops brute force.

By default, express-rate-limit uses in-memory store. In a cluster or multiple instances, each instance has its own counter, so limits are not enforced globally. A Redis store shares counters across instances.

Still have questions?

Browse all our FAQs or reach out to our support team

Want to upskill yourself?

Our courses are taking a Coffee break, but your curiosity shouldn't. Stay engaged with namastedev linkedin, youtube, discord and other resources while you wait.

0
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.