Skip to main content
The backend implements rate limiting on sensitive endpoints to prevent abuse and ensure service availability. Rate limiting is implemented using the express-rate-limit middleware.

Login Rate Limiter

Protects the authentication endpoint from brute force attacks. Endpoint: POST /api/auth/login

Configuration

windowMs
number
default:"900000"
Time window in milliseconds for rate limiting.Value: 15 * 60 * 1000 (15 minutes)
max
number
default:"5"
Maximum number of requests allowed per IP within the time window.Value: 5 requests
message
object
Error message returned when rate limit is exceeded.Value: { error: 'Muitas tentativas de login. Tente novamente em 15 minutos.' }

Behavior

  • Users can attempt login 5 times within a 15-minute window
  • After exceeding the limit, requests are blocked for the remainder of the window
  • Each IP address is tracked independently
  • Standard rate limit headers are included in responses
Excessive login attempts may indicate a brute force attack. Monitor login failures and consider implementing additional security measures like CAPTCHA for suspicious activity.

Contact Form Rate Limiter

Prevents spam and abuse of the contact form endpoint. Endpoint: POST /api/contact

Configuration

windowMs
number
default:"3600000"
Time window in milliseconds for rate limiting.Value: 60 * 60 * 1000 (1 hour)
max
number
default:"5"
Maximum number of requests allowed per IP within the time window.Value: 5 requests
message
object
Error message returned when rate limit is exceeded.Value: { error: 'Muitas mensagens enviadas. Tente novamente mais tarde.' }

Behavior

  • Users can submit 5 contact forms within a 1-hour window
  • After exceeding the limit, requests are blocked for the remainder of the window
  • Each IP address is tracked independently
  • Standard rate limit headers are included in responses

Rate Limit Headers

Both rate limiters include standard headers in API responses:
  • RateLimit-Limit - Maximum requests allowed in the window
  • RateLimit-Remaining - Number of requests remaining
  • RateLimit-Reset - Time when the rate limit window resets (Unix timestamp)

Example Response Headers

RateLimit-Limit: 5
RateLimit-Remaining: 3
RateLimit-Reset: 1678901234

Implementation Details

Rate limiting is implemented in backend/src/server.js: 
const loginLimiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 5,
  message: { error: 'Muitas tentativas de login. Tente novamente em 15 minutos.' },
  standardHeaders: true,
  legacyHeaders: false,
});

const contactLimiter = rateLimit({
  windowMs: 60 * 60 * 1000, // 1 hour
  max: 5,
  message: { error: 'Muitas mensagens enviadas. Tente novamente mais tarde.' },
  standardHeaders: true,
  legacyHeaders: false,
});
See backend/src/server.js:27-41 for the complete implementation.
Rate limits are tracked in-memory by default. In a production environment with multiple server instances, consider using a shared store (like Redis) to track rate limits across all instances.

Build docs developers (and LLMs) love

Get started for freeTalk to us