Why use a stricter limiter on auth routes?
To prevent brute-force password attacks. A global limit of 100 per 15 min is too loose for login; an attacker can try many passwords. A 5-per-15-min limit on login stops brute force.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in API Rate Limiting and Throttling in Express
Use express-rate-limit. Add a global limiter (100 req per 15 min per IP) and stricter limiters on auth routes (5 per 15 min). Return 429 with a Retry-After header. Use a Redis store for distributed setups so limits work across instances.
429 Too Many Requests. Include a Retry-After header so clients know how long to wait. express-rate-limit sets this automatically when standardHeaders: true.
By default, express-rate-limit uses in-memory store. In a cluster or multiple instances, each instance has its own counter, so limits are not enforced globally. A Redis store shares counters across instances.
Still have questions?
Browse all our FAQs or reach out to our support team
