Package Exports
- express-brute-guard
Readme
๐ก๏ธ Express-Brute-Guard
A lightweight, customizable, and production-ready rate-limiting middleware for Node.js, designed to protect APIs from brute-force and abuse attacks. Built with in-memory storage and optional headers, with support for auto-cleanup of expired IP entries.
๐ Features
- ๐ Per-IP rate limiting
- โฒ๏ธ Configurable request window and block duration
- โก Fast in-memory store
- ๐ก Customizable response headers
- ๐งน Auto cleanup of expired entries (no cron needed)
- ๐งฑ Pluggable store system (Redis/DB support planned for v2)
๐ฆ Installation
bash
npm install express-brute-guard
๐ Usage
typescript
import express from 'express';
import { BruteGuard } from 'express-brute-guard';
const app = express();
const bruteGuard = new BruteGuard({
maxRequests: 5,
windowMs: 10 * 60 * 1000, // 10 minutes
blockDuration: 5 * 60 * 1000, // 5 minutes
errormessage: 'Too many attempts. Please try again later.',
headers: true, // Add X-RateLimit-* headers
});
// Apply middleware
app.use((req, res, next) => bruteGuard.createGuard(req, res, next));
// Your routes
app.get('/', (req, res) => {
res.send('Welcome!');
});
app.listen(3000, () => console.log('Server running on port 3000'));
๐ฆ Default Export (Plug & Play Middleware)
If you just want to use BruteGuard with default or minimal config:
typescript
import bruteGuard from 'express-brute-guard';
import express from 'express';
const app = express();
// Apply brute-force protection globally
app.use(bruteGuard.createGuard());
app.listen(3000, () => {
console.log('Server running on port 3000');
});
โ Best for: Quick setup and global protection.
โ๏ธ Named Export (Custom Configs per Route)
If you need custom configurations (e.g., different rate limits per route):
typescript
import { BruteGuard } from 'express-brute-guard';
import express from 'express';
const app = express();
// Create multiple instances with custom configs
const loginLimiter = new BruteGuard({
maxRequests: 5,
windowMs: 60 * 1000, // 1 minute
});
const signupLimiter = new BruteGuard({
maxRequests: 2,
windowMs: 5 * 60 * 1000, // 5 minutes
});
// Apply per-route brute-force protection
app.post('/login', loginLimiter.createGuard(), (req, res) => {
res.send('Login route');
});
app.post('/signup', signupLimiter.createGuard(), (req, res) => {
res.send('Signup route');
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
๐ง Best for: Apps needing fine-grained control, customization, or testing.
โ๏ธ Options
| Option | Type | Default | Description |
|---|---|---|---|
maxRequests |
number |
10 |
Max requests allowed before blocking |
windowMs |
number |
5 * 60 * 1000 |
Time window for tracking requests (in ms) |
blockDuration |
number |
3 * 60 * 1000 |
How long to block the IP after limit exceeded (in ms) |
statusCode |
number |
429 |
HTTP status code for blocked requests |
errormessage |
string |
'Too many Requests' |
Message shown when limit is exceeded |
headers |
boolean |
true |
Whether to set rate-limit headers |
store |
any |
memoryStore |
Optional custom store (e.g., Redis support in v2) |
๐ง How It Works
- Each IP gets tracked on request.
- If requests exceed
maxRequestsinwindowMs, IP is temporarily blocked. - If an entry expires, it is automatically cleaned up by a background process using
setInterval.
๐ฎ Coming in v2
- โ Redis store support
- โ Sliding window algorithm
- โ Per-route configuration
- โ Type-safe middleware usage
- โ Dashboard / monitoring integration
๐งช Testing
Basic test setup (optional):
bash
npm install --save-dev jest supertest
You can write tests to validate:
- Blocking after limit
- Reset after window
- Cleanup behavior
๐ค Contributing
PRs and feature requests are welcome! Open issues or reach out via GitHub.
๐งโ๐ป Author
Developed by Taran Mesala
For support or feature requests, open an issue.
๐ License
This project is licensed under the MIT License.