Rate limiting

[jack-pallot]

I have a Dynamic API Route that I'm planning to expose on the client and have taken steps to secure that as much as possible. One thing I'd like to know is if there's a way to do rate limiting on API Routes, or a solution someone has seen before that would work? The API Route hits a serverless database so it could get very expensive if a bad actor decides to hammer the endpoint.

[leerob]

I'm not too familiar with rate limiting, but you could add a stale-while-revalidate header. Here's an example using Vercel and a vercel.json file (or now.json).

{
    "source": "/api/route",
    "headers": [
        {
            "key": "Cache-Control",
            "value": "public, max-age=120, stale-while-revalidate=60"
        }
    ]
}

[timneutkens]

If you want to add headers in API routes the best way to do it is through res.setHeader instead:

res.setHeader('Cache-Control', 'public, max-age=120, stale-while-revalidate=60')

This means you don't have detached configuration and it'll set the headers anywhere including in development.

[leerob]

Ah yes, I forgot about this––agreed!

[Janpot]

If bad actors are your concern, I don't think a cache-control header is going to stop them from hammering the endpoint.

There isn't much information about your architecture but there's three points I see where you could add rate-limiting:

1. Personally I'd start by looking into whether your serverless database offers any rate-limiting features.
2. Otherwise, depending on the way you're hosting your app, if you have a reverse proxy available that has rate-limiting features, I'd use that.
3. Otherwise, since next.js API routes allow using existing connect middleware, you should be able to rate limit with one of the available rate-limiting middleware

[GaddMaster]

Thanks (Hammering endpoint lol)

[ExordiumX]

Those don't work since vercel and heroku use proxies, which means that you have to do app.set('trust proxy', 1) on Express, which you can't easily do on Next.js API.

[jack-pallot]

Thanks for your replies, it's much appreciated.

On top of the answers provided, it turns out this is a service that Cloudflare offer (https://www.cloudflare.com/rate-limiting/). I'm going to try this initially, otherwise I'll likely fall back to using some middleware.

[leerob]

Added an example for rate-limiting using lru-cache: #19509

[Toumash]

@PlopTheReal then you would use https://redis.io/

[leerob]

Check out Upstash, makes it very easy to deploy Redis with a nice free tier.

You can deploy in a few minutes using a Next.js + Redis example 😄 https://vercel.com/integrations/upstash

[justinbalaguer]

Added an example for rate-limiting using lru-cache: #19509

when using post request to rate limit it doesn't change the etag so rate-limit is not subtracting, how can I make this work?

[leerob]

Two other examples:

• https://github.com/vercel/examples/tree/main/edge-functions/api-rate-limit
• https://github.com/vercel/examples/tree/main/edge-functions/api-rate-limit-and-tokens

[ghost]

@leerob resurfacing this — when Googling rate limiting next.js api routes it defaults to Upstash or solutions with complex configuration.

I believe this could be an opportunity to have a first-party solution on Vercel with a default and configurable rate-limiter for all paths and for specific paths in a Next.js project? The Vercel dashboard already can detect paths in Functions deployment logs.

FWIW I implemented Upstash recently and ran into issues. Ended up removing it from project: upstash/ratelimit-js#12