Rate Limiting and Security Headers for Node.js APIs
Protect your API from abuse and attacks with rate limiting, security headers, CORS configuration, and request sanitisation.
Abdur Razzak
Full-Stack Web Developer
Rate Limiting with express-rate-limit
Rate limiting restricts how many requests a single IP can make in a time window. Use express-rate-limit to apply a global limit and stricter limits on sensitive routes like login or password reset to prevent brute-force attacks.
Security Headers with Helmet
Helmet sets a collection of HTTP response headers that protect against common attacks. It enables Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, and others with sensible defaults you can customise.
CORS Configuration
CORS tells browsers which origins can make requests to your API. Always specify an explicit allowlist instead of using the wildcard *. Configure allowed methods, headers, and whether credentials are permitted.
Input Sanitisation
Sanitise all user input to prevent NoSQL injection and XSS. For MongoDB, avoid using user-supplied values as query operators. Strip HTML tags from text fields unless you specifically intend to render HTML. Never eval user-provided strings.
