What is rate limiting and how do you implement it in Node.js?
Why Interviewers Ask This
This tests whether you can apply Node.js knowledge to real-world scenarios. Interviewers are looking for clarity of thought and evidence that you've encountered this in production code.
Answer
Rate limiting restricts how many requests a client can make to your API within a time window, protecting against brute-force attacks, DDoS, and API abuse. Implementation in Express.js using express-rate-limit: const rateLimit = require("express-rate-limit"); const limiter = rateLimit({ windowMs: 15 * 60 * 1000, max: 100, message: "Too many requests" }); app.use("/api/", limiter);. This allows 100 requests per 15 minutes per IP. For more sophisticated limiting (sliding window, token bucket) and distributed environments (multiple servers), use Redis-backed rate limiting with rate-limiter-flexible. Apply different limits to different routes: stricter limits on auth endpoints (/login: 5 attempts per 15 min) and looser on general API. Also consider: (1) IP-based limiting (default); (2) User/API-key based limiting for authenticated routes; (3) Setting Retry-After headers so clients know when to retry; (4) Returning 429 Too Many Requests status code.
Common Mistake
Rushing to answer is a common mistake. Take two seconds to structure your response: definition → example → trade-off. This structure makes complex Node.js answers easy to follow.
Previous
What is connection pooling in Node.js database access?
Next
What is input validation and sanitization in Node.js?