Protecting express js server from brute force

brute force attack express
node js brute force prevention
express js best practices
express protected routes
express helmet
express brute alternative
express cookie-session

I'm writing an api using nodejs and express and my app is hosted by openshift free plan. I want to protect my routes from brute force. For example if an IP sends more than 5 requests /sec then block it for 5 minutes. :)

There's nothing stopping you from implementing this in Node.js/express directly, but this sort of thing is typically (and almost certainly more easily) handled by using something like nginx or Apache httpd to handle traffic to your app.

This has the added benefit of allowing you to run the app entirely as an unprivileged user because nginx (or whatever) will be binding to ports 80 and 443 (which requires administrative/superuser/whatever privileges) rather than your app. Plus you can easily get a bunch of other desirable features, like caching for static contents.

nginx has a module specifically for this:

The ngx_http_limit_req_module module (0.7.21) is used to limit the request processing rate per a defined key, in particular, the processing rate of requests coming from a single IP address.

Security Best Practices for Express in Production, You're going to read about login brute-force protection practices and examples written on Node.js. The same patterns can be applied to any web application. Protect your system against brute force A brute force attack is the simplest and most common way to get access to a website or a server. The hacker (in most cases automatically, rarely manually) tries various usernames and passwords repeatedly to break into the system. These attacks can be prevented with the help of rate-limiter-flexible package.

Brute-force protection Node.js examples - Roman Voloboev, If you are building a Node application with Express or with another framework built on express e.g. feathers.js , Koa.js, Kraken, Sails, or another  Preventing Brute Force Using Node and Express JS. I'm building a website using Node and Express JS and would like to throttle invalid login attempts. Both to prevent online cracking and to reduce unnecessary database calls.

It is better to limit rates on reverse-proxy, load balancer or any other entry point to your node.js app.

However, it doesn't fit requirements sometimes.

rate-limiter-flexible package has block option you need

const { RateLimiterMemory } = require('rate-limiter-flexible');

const opts = {
  points: 5, // 5 points
  duration: 1, // Per second
  blockDuration: 300, // block for 5 minutes if more than points consumed 

const rateLimiter = new RateLimiterMemory(opts);

const rateLimiterMiddleware = (req, res, next) => {
  // Consume 1 point for each request
    .then(() => {
    .catch((rejRes) => {
      res.status(429).send('Too Many Requests');


You can configure rate-limiter-flexible for any exact route. See official express docs about using middlwares

There are also options for Cluster or distributed apps and many others useful

Node.js – Protection from Brute Force and DDOS Attacks , Deprecated or outdated versions of Express.js are a no go. The 2nd and 3rd versions To secure HTTP headers, you can make use of Helmet.js – a helpful Node.js module. Protect your system against brute force. A brute  A brute-force protection middleware for express routes that rate-limits incoming requests, increasing the delay with each request in a fibonacci-like sequence.

Express.js Security Tips: How You Can Save and Secure Your App, Brute force attack is a method used to obtain sensitive data such as user with SQL database, you should consider using node-mysql dependency. Being good at securing backend application is really valuable and it is  Node.js – Protection from Brute Force and DDOS Attacks If you are building a Node application with Express or with another framework built on express e.g. feathers.js , Koa.js, Kraken, Sails, or another frameworks listed on , you can use the express-rate-limit middleware to protect Your solution from Brute Force and DDOS Attacks .

How to make your NodeJS application or API secure, Brute-force protection middleware for express routes by rate limiting incoming wrong // cause node to exit, hopefully restarting the process fixes the problem  To prevent brute-force attacks there are the following approaches you can use: artificially slow-down login attempts through sleep. This was somewhat common for PHP websites. The problem with this is of course, that it takes up some resources on your webserver. use captchas. require that a login must solve a captcha. rate limiting

AdamPflug/express-brute: Brute-force protection , A brute-force protection middleware for express routes that rate limits incoming requests. A much better solution would be to avoid FTP altogether and use more secure file transfer protocols like FTPS or SFTP instead. JSCAPE's managed file transfer server also supports these two secure protocols and more. Protect your FTP passwords from brute force attacks

  • This is called "Rate Limiting" and there have been many articles and some previous StackOverflow posts written about it. I'd suggest you start with what has already been written. Here's one: What's a good rate limiting algorithm.
  • @jfriend00 thanks for the name, I'm searching for it + it's very cool to write something from scratch :)
  • Here's a good reference on the Leaky Bucket Algorithm which is one common algorithm used for rate limiting.
  • Thanks for reply. But I think that I didn't get your point. I'm using nodejs and don't want to using another webserver :)
  • It's standard practice to use nginx as a reverse proxy to node.