Rate Limit Header Sandbox

A minimal Express server that demonstrates both standardized and legacy rate limit response headers for two endpoints. The server should make it obvious when standard headers are enabled versus legacy headers, and should surface retry timing when requests exceed the configured limits.

Capabilities

Standard header reporting

• The first request to /standard in a 60-second window returns 200 OK and includes a RateLimit header that reports limit=3 and remaining=2, plus a RateLimit-Policy header describing the same 3-per-60s window (for example, 3;w=60). @test
• The fourth immediate request to /standard (within that 60-second window) returns 429 with a Retry-After value that matches the remaining seconds until reset and a RateLimit header showing remaining=0. @test

Legacy header compatibility

• The first request to /legacy in a 30-second window returns 200 OK and includes X-RateLimit-Limit: 2, X-RateLimit-Remaining: 1, and an X-RateLimit-Reset timestamp (Unix seconds) within roughly 30 seconds in the future. @test
• The third immediate request to /legacy within that 30-second window returns 429 with Retry-After matching the remaining seconds in the window and X-RateLimit-Remaining: 0. @test

Header mode separation

• Responses from /standard never include any X-RateLimit-* headers, and responses from /legacy omit RateLimit/RateLimit-Policy headers so each route only exposes its intended header format. @test

Implementation

@generates

API

import type { Express } from "express";

/**
 * Creates an Express app that serves rate-limited routes.
 */
export function createApp(): Express;

Dependencies { .dependencies }

express { .dependency }

Hosts the HTTP server and routes.

express-rate-limit { .dependency }

Provides middleware that enforces request quotas and emits rate limit response headers.