Protect your API from abuse
Protect your API before someone hammers it. Fair usage enforced automatically.
Tools that power the Protect your API from abuse stack
Cloudflare
Edge rate limiting
Block abusive traffic and throttle requests at the network edge before hitting your server
Upstash
Serverless Redis
Serverless Redis with a per-request pricing model ideal for rate limiting counters
Kong
API gateway
Open-source API gateway with built-in rate limiting, auth, and routing plugins
Express Rate Limit
Node.js middleware
Drop-in rate limiting middleware for Express apps with flexible storage backends
- 1Cloudflare
Add your domain to Cloudflare and proxy traffic through their network. In Security → WAF → Rate Limiting Rules, create a rule that matches your API path pattern. Set a threshold (e.g., 100 requests per minute per IP) and choose the action: block, challenge, or log. Cloudflare enforces this at the edge before requests reach your origin server.
Open Cloudflare - 2Upstash
Create a free Upstash Redis database and copy the REST URL and token. In your API handler, use the @upstash/ratelimit package to create a sliding window limiter keyed by user ID or IP address. Return a 429 status with a Retry-After header when the limit is exceeded. Upstash stores counters globally with sub-millisecond latency.
Open Upstash - 3Kong
Deploy Kong Gateway in front of your API services. Enable the Rate Limiting plugin on a route or service and configure limits per consumer, IP, or API key. Kong stores counters in memory by default or in Redis for multi-instance deployments. Consumers exceeding limits receive a 429 with X-RateLimit-Remaining: 0 headers.
Open Kong - 4Express Rate Limit
Install express-rate-limit with npm. Create a limiter with rateLimit({ windowMs: 60000, max: 100 }) and apply it as middleware to your router. Use rate-limit-redis as the store so limits persist across server restarts and multiple instances. Add X-RateLimit headers to responses so API clients can self-throttle before hitting the limit.
Open Express Rate Limit
Frequently asked questions
Costs depend on your scale. Most tools in this stack offer a free tier to start. Open the cost calculator on this page to estimate monthly cost based on your users and revenue.
This stack uses 4 tools: Cloudflare, Upstash, Kong, Express Rate Limit. Each tool is picked to work well with the others and to cover a specific part of the workflow.
Yes. The stack is a recommended starting point. You can replace any tool with an alternative you already use. Check the setup guide first to confirm the integration points you'll need to rebuild.
Most makers finish the 4-step setup in under an hour. Creating accounts and connecting the first integration takes the most time.
Related stacks
Add two-factor authentication
Lock down your login flow. Add a second layer of security without building it yourself.
See the full Add two-factor authentication workflowShip landing page today
Go live today, not next week. From blank page to launched in hours.
Ship landing page today setup guideAccept payments online
Start getting paid. Everything wired together so nothing falls through the cracks.
Explore the Accept payments online stackSet up customer support system
Keep customers happy from day one. No duct-taping three dashboards together.
How to build Set up customer support systemBrowse more stacks by category
Have a better stack?
Share your favorite tool combination and help other builders.