Security

This is too often overlooked or completely ignored. But just a few lines of code can make your app much harder to break.

Helmet helps you secure your Express apps by setting various HTTP headers.
Add an API rate limit to reduce the number of actions and protect from DDoS and brute force attacks.
Enforce HTTPS

Helmet

$ yarn add helmet

Start protecting your app with helmet

import helmet from "helmet";

export const createApp = () => {
  // ...
  app.use(helmet());
  app.use(helmet.noCache()); // disable browser caching
  app.use(
    helmet.hsts({
      includeSubDomains: true, // enforce https everywhere
      preload: true
    })
  ); 
 // ...
};

API Rate Limit

The library node-rate-limiter-flexible helps us keep track of requests count.

$ yarn add rate-limiter-flexible

We are going to create a new folder middlewaresand add RateLimiter.ts to it.

.
├── app.ts
└── middlewares
    ├── RateLimiter
    │   ├── index.spec.ts
    │   └── index.ts
    └── index.ts

import { RateLimiterMemory, IRateLimiterOptions } from 'rate-limiter-flexible';
import { Handler } from 'express';
import { AppRequest } from '../app';

class RateLimiterMiddleware extends RateLimiterMemory {
  constructor(opts: IRateLimiterOptions = {}) {
    super({
      points: 10,
      duration: 1,
      ...opts,
    });
  }
  middleware: Handler = async (request: AppRequest, response, next) => {
    try {
      await this.consume(request.user ? request.user.emailAddress : request.ip);
      next();
    } catch (error) {
      response.sendStatus(429); // Too Many Requests
    }
  };
}

export { RateLimiterMiddleware };

We can now use this middleware in app.ts.

app.ts

import { RateLimiterMiddleware } from './middlewares'

export const createApp = () => {
  const app = express();
  app.use(new RateLimiterMiddleware().middleware);
};

The number of requests is now limited to 10 per seconds. Go ahead an experiment with higher numbers to see if you will get rejected.

Or instead, we can also write a test for this:

~/packages/api

$ yarn add supertest @types/supertest -D

middlewares/RateLimiter/index.spec.ts

import * as express from "express";
import * as supertest from "supertest";
import { RateLimiterMiddleware } from "./index";

describe("middlewares/RateLimiter", () => {
  it("should limit the amount of requests", async () => {
    const app = express();
    app.use(new RateLimiterMiddleware({ points: 1 }).middleware);
    app.get("/test", (_, response) => response.sendStatus(200));
    const agent = supertest(app);

    await agent.get("/test").expect(200);
    await agent.get("/test").expect(429);
  });
});

security branch available on GitHub.

PreviousExpress API NextDatabase

Last updated 6 years ago

hashtagHelmet

hashtagAPI Rate Limit

Helmet

API Rate Limit