1---
2title: Implement Rate Limiting
3impact: HIGH
4impactDescription: Protects against abuse and ensures fair resource usage
5tags: security, rate-limiting, throttler, protection
6---
7 
8## Implement Rate Limiting
9 
10Use `@nestjs/throttler` to limit request rates per client. Apply different limits for different endpoints - stricter for auth endpoints, more relaxed for read operations. Consider using Redis for distributed rate limiting in clustered deployments.
11 
12**Incorrect (no rate limiting on sensitive endpoints):**
13 
14```typescript
15// No rate limiting on sensitive endpoints
16@Controller('auth')
17export class AuthController {
18  @Post('login')
19  async login(@Body() dto: LoginDto): Promise<TokenResponse> {
20    // Attackers can brute-force credentials
21    return this.authService.login(dto);
22  }
23 
24  @Post('forgot-password')
25  async forgotPassword(@Body() dto: ForgotPasswordDto): Promise<void> {
26    // Can be abused to spam users with emails
27    return this.authService.sendResetEmail(dto.email);
28  }
29}
30 
31// Same limits for all endpoints
32@UseGuards(ThrottlerGuard)
33@Controller('api')
34export class ApiController {
35  @Get('public-data')
36  async getPublic() {} // Should allow more requests
37 
38  @Post('process-payment')
39  async payment() {} // Should be more restrictive
40}
41```
42 
43**Correct (configured throttler with endpoint-specific limits):**
44 
45```typescript
46// Configure throttler globally with multiple limits
47import { ThrottlerModule, ThrottlerGuard } from '@nestjs/throttler';
48 
49@Module({
50  imports: [
51    ThrottlerModule.forRoot([
52      {
53        name: 'short',
54        ttl: 1000, // 1 second
55        limit: 3, // 3 requests per second
56      },
57      {
58        name: 'medium',
59        ttl: 10000, // 10 seconds
60        limit: 20, // 20 requests per 10 seconds
61      },
62      {
63        name: 'long',
64        ttl: 60000, // 1 minute
65        limit: 100, // 100 requests per minute
66      },
67    ]),
68  ],
69  providers: [
70    {
71      provide: APP_GUARD,
72      useClass: ThrottlerGuard,
73    },
74  ],
75})
76export class AppModule {}
77 
78// Override limits per endpoint
79@Controller('auth')
80export class AuthController {
81  @Post('login')
82  @Throttle({ short: { limit: 5, ttl: 60000 } }) // 5 attempts per minute
83  async login(@Body() dto: LoginDto): Promise<TokenResponse> {
84    return this.authService.login(dto);
85  }
86 
87  @Post('forgot-password')
88  @Throttle({ short: { limit: 3, ttl: 3600000 } }) // 3 per hour
89  async forgotPassword(@Body() dto: ForgotPasswordDto): Promise<void> {
90    return this.authService.sendResetEmail(dto.email);
91  }
92}
93 
94// Skip throttling for certain routes
95@Controller('health')
96export class HealthController {
97  @Get()
98  @SkipThrottle()
99  check(): string {
100    return 'OK';
101  }
102}
103 
104// Custom throttle per user type
105@Injectable()
106export class CustomThrottlerGuard extends ThrottlerGuard {
107  protected async getTracker(req: Request): Promise<string> {
108    // Use user ID if authenticated, IP otherwise
109    return req.user?.id || req.ip;
110  }
111 
112  protected async getLimit(context: ExecutionContext): Promise<number> {
113    const request = context.switchToHttp().getRequest();
114 
115    // Higher limits for authenticated users
116    if (request.user) {
117      return request.user.isPremium ? 1000 : 200;
118    }
119 
120    return 50; // Anonymous users
121  }
122}
123```
124 
125Reference: [NestJS Throttler](https://docs.nestjs.com/security/rate-limiting)
126