Design a Simple Rate Limiter Using Redis and Node.js

Rate limiting is a crucial technique for controlling traffic to your APIs and protecting your application from abuse, DDoS attacks, or overuse. In this article, we’ll design and implement a simple IP-based rate limiter in Node.js using Redis. By leveraging Redis’s atomic counter operations and expiration features, we can achieve an efficient and scalable solution with minimal overhead.

1. Why Use Redis for Rate Limiting?

Redis is a high-performance in-memory datastore, and its ability to atomically increment counters with expiration makes it ideal for rate limiting scenarios. Compared to in-memory solutions (like using a JavaScript object), Redis allows you to scale across multiple Node.js instances and maintain consistent limits for each IP.

Imagine you want to allow each client to make up to 100 requests per 15-minute window. Redis can keep track of how many times each IP hits your API and reset that count automatically when the time window expires.

2. Setting Up Redis and Node.js

First, ensure Redis is installed and running on your machine. You can start Redis using Docker:

docker run -p 6379:6379 redis

Next, let’s scaffold a basic Express application with Redis support:

// Install dependencies
npm install express ioredis

// app.js
const express = require('express');
const Redis = require('ioredis');

const app = express();
const redis = new Redis(); // Default: localhost:6379

Now that we have our environment set up, let’s build the middleware.

3. Implementing the Rate Limiting Middleware

The idea is simple: when a request comes in, we increment a key in Redis that corresponds to the IP address. If the key doesn’t exist, Redis will create it. We’ll also set an expiration equal to the rate limit window.

// rateLimiter.js
const WINDOW_SIZE_IN_SECONDS = 15 * 60; // 15 minutes
const MAX_WINDOW_REQUEST_COUNT = 100;

module.exports = (redis) => async (req, res, next) => {
  const ip = req.ip;
  const key = `ratelimit:${ip}`;

  const requests = await redis.incr(key);

  if (requests === 1) {
    // First request, set expiration
    await redis.expire(key, WINDOW_SIZE_IN_SECONDS);
  }

  if (requests > MAX_WINDOW_REQUEST_COUNT) {
    return res.status(429).json({ error: 'Too many requests. Please try again later.' });
  }

  next();
};

Then, use this middleware in your app:

// app.js (continued)
const rateLimiter = require('./rateLimiter');
app.use(rateLimiter(redis));

app.get('/', (req, res) => {
  res.send('Welcome, you are within the rate limit!');
});

app.listen(3000, () => console.log('Server on port 3000'));

This middleware now protects your entire app by limiting each IP to 100 requests per 15 minutes.

4. Enhancements and Production Tips

While our basic limiter works well, here are some refinements for production:

Distributed Deployments: Redis makes your rate limiter scalable by sharing state across multiple app instances.
X-Forwarded-For for Real IPs: In deployments behind reverse proxies, use req.headers['x-forwarded-for'] to get the real client IP.
Global vs Route-Specific: You can apply the middleware globally or to sensitive routes only (e.g., /api/login).
Leaky Bucket Algorithm: For smoother request flow rather than discrete windows, look into sliding window log or leaky bucket algorithms.
Rate By User/Token: You can adapt the middleware to limit by user ID or token instead of IP for better granularity in authenticated APIs.

5. Monitoring, Debugging & Optimization

Keep your Redis keys efficient and monitor usage with tools like redis-cli or RedisInsight. Use the following command to inspect keys:

redis-cli keys ratelimit:*

For optimization:

Use Redis TTL to manage expiring keys instead of running cleanup scripts.
Use Pipeline when doing multiple queries for performance.
Consider setting short bursts timeframes for greater responsiveness (e.g., 10 requests every 10 seconds).

Lastly, logging can help debug sudden spikes or unexpected blocks. Consider adding timestamps or IP info to logs in verbose mode.

Final Thoughts

By integrating Redis with Node.js, we’ve built a basic but powerful rate limiter that protects your APIs from overload while staying scalable and efficient. Rate limiting is a foundational layer of modern web security, and Redis makes it simple to implement across distributed environments.

From here, explore more advanced patterns like sliding windows, token buckets, and user-specific rate limiting according to your use case!

Useful links: