Protect your API from abuse

Add your domain to Cloudflare and proxy traffic through their network. In Security → WAF → Rate Limiting Rules, create a rule that matches your API path pattern. Set a threshold (e.g., 100 requests per minute per IP) and choose the action: block, challenge, or log. Cloudflare enforces this at the edge before requests reach your origin server.

Create a free Upstash Redis database and copy the REST URL and token. In your API handler, use the @upstash/ratelimit package to create a sliding window limiter keyed by user ID or IP address. Return a 429 status with a Retry-After header when the limit is exceeded. Upstash stores counters globally with sub-millisecond latency.

Deploy Kong Gateway in front of your API services. Enable the Rate Limiting plugin on a route or service and configure limits per consumer, IP, or API key. Kong stores counters in memory by default or in Redis for multi-instance deployments. Consumers exceeding limits receive a 429 with X-RateLimit-Remaining: 0 headers.

Install express-rate-limit with npm. Create a limiter with rateLimit({ windowMs: 60000, max: 100 }) and apply it as middleware to your router. Use rate-limit-redis as the store so limits persist across server restarts and multiple instances. Add X-RateLimit headers to responses so API clients can self-throttle before hitting the limit.