express-rate-limit vs rate-limiter-flexible vs express-slow-down vs express-brute

npm包名称	下载量	Stars	大小	Issues	发布时间	License

express-rate-limit	9,568,162	3,181	141 kB	8	14 天前	MIT
rate-limiter-flexible	1,369,477	3,419	187 kB	18	18 小时前	ISC
express-slow-down	59,785	292	38.2 kB	1	11 天前	MIT
express-brute	14,044	568	-	21	9 年前	BSD

npm包名称

下载量

Stars

大小

Issues

发布时间

License

express-rate-limit

9,568,162

3,181

141 kB

14 天前

MIT

rate-limiter-flexible

1,369,477

3,419

187 kB

18 小时前

ISC

express-slow-down

59,785

292

38.2 kB

11 天前

MIT

express-brute

14,044

568

9 年前

BSD

存储后端支持

express-rate-limit:
主要使用内存存储，适合小型应用，但不支持持久化存储，可能不适合大规模应用。
rate-limiter-flexible:
支持多种存储后端，包括内存、Redis、MongoDB等，提供更高的灵活性和可扩展性。
express-slow-down:
与 express-rate-limit 相似，主要依赖内存存储，适合小型项目。
express-brute:
支持多种存储后端，包括内存、Redis、MongoDB等，允许开发者根据需求选择合适的存储方式。

功能复杂性

express-rate-limit:
功能简单，易于使用，适合大多数常见的速率限制需求，但缺乏复杂的自定义选项。
rate-limiter-flexible:
功能强大，支持复杂的限制策略和自定义选项，适合需要高度可配置的应用。
express-slow-down:
在请求超过限制时减慢响应速度，提供更友好的用户体验，但功能相对单一。
express-brute:
提供简单的速率限制功能，适合快速实现基本需求，但功能相对较少。

易用性

express-rate-limit:
非常易于使用，提供简单的 API，适合快速集成到现有的 Express 应用中。
rate-limiter-flexible:
虽然功能强大，但配置相对复杂，适合有一定经验的开发者。
express-slow-down:
简单易用，适合需要减慢响应速度的场景，集成方便。
express-brute:
易于集成和使用，适合快速开发和原型设计。

性能影响

express-rate-limit:
在请求量较大时，可能会导致性能下降，尤其是在内存存储模式下。
rate-limiter-flexible:
性能表现良好，尤其是在使用 Redis 等外部存储时，能够处理高并发请求。
express-slow-down:
通过减慢响应速度来处理请求，可能会影响用户体验，但可以有效保护服务器。
express-brute:
在高并发场景下，可能会对性能产生一定影响，尤其是使用内存存储时。

社区支持与维护

express-rate-limit:
拥有活跃的社区和良好的文档，更新频繁，适合大多数项目。
rate-limiter-flexible:
社区活跃，文档完善，更新频繁，适合需要长期维护的项目。
express-slow-down:
社区支持一般，更新较少，适合特定需求的项目。
express-brute:
社区支持相对较小，更新频率较低，适合简单项目。

Usage

import { rateLimit } from 'express-rate-limit' const limiter = rateLimit({ windowMs: 15 * 60 * 1000, // 15 minutes limit: 100, // Limit each IP to 100 requests per `window` (here, per 15 minutes). standardHeaders: 'draft-8', // draft-6: `RateLimit-*` headers; draft-7 & draft-8: combined `RateLimit` header legacyHeaders: false, // Disable the `X-RateLimit-*` headers. ipv6Subnet: 56, // Set to 60 or 64 to be less aggressive, or 52 or 48 to be more aggressive // store: ... , // Redis, Memcached, etc. See below. }) // Apply the rate limiting middleware to all requests. app.use(limiter)

Data Stores

The rate limiter comes with a built-in memory store, and supports a variety of external data stores.

Configuration

All function options may be async. Click the name for additional info and default values.

Option	Type	Remarks
`windowMs`	`number`	How long to remember requests for, in milliseconds.
`limit`	`number` \| `function`	How many requests to allow.
`message`	`string` \| `json` \| `function`	Response to return after limit is reached.
`statusCode`	`number`	HTTP status code after limit is reached (default is 429).
`handler`	`function`	Function to run after limit is reached (overrides `message` and `statusCode` settings, if set).
`legacyHeaders`	`boolean`	Enable the `X-Rate-Limit` header.
`standardHeaders`	`'draft-6'` \| `'draft-7'` \| `'draft-8'`	Enable the `Ratelimit` header.
`identifier`	`string` \| `function`	Name associated with the quota policy enforced by this rate limiter.
`store`	`Store`	Use a custom store to share hit counts across multiple nodes.
`passOnStoreError`	`boolean`	Allow (`true`) or block (`false`, default) traffic if the store becomes unavailable.
`keyGenerator`	`function`	Identify users (defaults to IP address).
`ipv6Subnet`	`number` (32-64) \| `function` \| `false`	How many bits of IPv6 addresses to use in default `keyGenerator`
`requestPropertyName`	`string`	Add rate limit info to the `req` object.
`skip`	`function`	Return `true` to bypass the limiter for the given request.
`skipSuccessfulRequests`	`boolean`	Uncount 1xx/2xx/3xx responses.
`skipFailedRequests`	`boolean`	Uncount 4xx/5xx responses.
`requestWasSuccessful`	`function`	Used by `skipSuccessfulRequests` and `skipFailedRequests`.
`validate`	`boolean` \| `object`	Enable or disable built-in validation checks.

Option

Type

Remarks

windowMs

number

How long to remember requests for, in milliseconds.

limit

number | function

How many requests to allow.

message

string | json | function

Response to return after limit is reached.

statusCode

number

HTTP status code after limit is reached (default is 429).

handler

function

Function to run after limit is reached (overrides message and statusCode settings, if set).

legacyHeaders

boolean

Enable the X-Rate-Limit header.

standardHeaders

'draft-6' | 'draft-7' | 'draft-8'

Enable the Ratelimit header.

identifier

string | function

Name associated with the quota policy enforced by this rate limiter.

store

Store

Use a custom store to share hit counts across multiple nodes.

passOnStoreError

boolean

Allow (true) or block (false, default) traffic if the store becomes unavailable.

keyGenerator

function

Identify users (defaults to IP address).

ipv6Subnet

number (32-64) | function | false

How many bits of IPv6 addresses to use in default keyGenerator

requestPropertyName

string

Add rate limit info to the req object.

skip

function

Return true to bypass the limiter for the given request.

skipSuccessfulRequests

boolean

Uncount 1xx/2xx/3xx responses.

skipFailedRequests

boolean

Uncount 4xx/5xx responses.

requestWasSuccessful

function

Used by skipSuccessfulRequests and skipFailedRequests.

validate

boolean | object

Enable or disable built-in validation checks.

Thank You

Sponsored by Zuplo a fully-managed API Gateway for developers. Add dynamic rate-limiting, authentication and more to any API in minutes. Learn more at zuplo.com

Thanks to Mintlify for hosting the documentation at express-rate-limit.mintlify.app

Finally, thank you to everyone who's contributed to this project in any way! 🫶

Issues and Contributing

If you encounter a bug or want to see something added/changed, please go ahead and open an issue! If you need help with something, feel free to start a discussion!

If you wish to contribute to the library, thanks! First, please read the contributing guide. Then you can pick up any issue and fix/implement it!