Express Rate-Limited API Setup

Build an Express application that uses a configurable rate-limiting middleware to protect common routes with sensible defaults and optional overrides. The app exposes GET /status and GET /data behind a shared limiter, plus POST /login with a stricter limiter.

Capabilities

Global limiter defaults

• With no custom configuration, GET /status accepts up to five requests per minute from the same client; the sixth within sixty seconds responds with HTTP 429 and JSON { "error": "Too many requests", "limit": 5, "remaining": 0 }, including a Retry-After header. @test
• The global limiter applies to both GET /status and GET /data, sharing the same window and request counter per client. @test

Custom overrides without mutation

• Passing a global options object can change window length, request cap, status code, response body, and header style (standard RateLimit headers vs legacy X-RateLimit-* headers); creating the app must leave the provided options object unchanged. @test

Login-specific limiter

• POST /login uses its own limiter with a fifteen-minute window and three-request cap per client (overridable via the login options); hitting it a fourth time within the window returns HTTP 429 with JSON { "error": "Too many login attempts" } without affecting the global limiter counters. @test

Implementation

@generates

API

export type HeaderMode = "legacy" | "standard";

export interface RateLimitOptions {
  windowMs?: number;
  maxRequests?: number;
  statusCode?: number;
  responseBody?: any;
  headerMode?: HeaderMode;
}

export interface AppConfig {
  global?: RateLimitOptions;
  login?: RateLimitOptions;
}

export function createRateLimitedApp(config?: AppConfig): import("express").Express;

Dependencies { .dependencies }

express { .dependency }

Web application framework for routing and responses.

express-rate-limit { .dependency }

Rate limiting middleware used to build the global and login limiters.