Skip to content
unfault

typescript.rate_limiting

Stability High

Detects public endpoints without rate limiting protection.

Why It Matters

Section titled “Why It Matters”

Missing rate limiting:

  • DDoS vulnerability — Attackers can overwhelm service
  • Resource exhaustion — Single client can hog resources
  • Cost explosion — Unbounded API usage

Example

Section titled “Example”
// ❌ Before (no rate limiting)
app.post('/api/login', async (req, res) => {
  const result = await authenticate(req.body);
  res.json(result);
});
// ✅ After (with rate limiting)
import rateLimit from 'express-rate-limit';


const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5, // 5 attempts per window
  message: 'Too many login attempts, please try again later',
});


app.post('/api/login', loginLimiter, async (req, res) => {
  const result = await authenticate(req.body);
  res.json(result);
});

What Unfault Detects

Section titled “What Unfault Detects”
  • POST endpoints without rate limiter middleware
  • Login/auth endpoints without throttling
  • File upload handlers without limits

Auto-Fix

Section titled “Auto-Fix”

Unfault can add express-rate-limit middleware.

Section titled “Related Rules”