Good Code
The good version sets a specific proxy trust depth and applies a clear rate limit policy.
Lesson 09
Rate limiting and trust proxy
Configure client IP trust deliberately before using IP-based controls.
- security
- rate-limiting
- proxy
Good Code
src/app.tsimport express from "express";
import { rateLimit } from "express-rate-limit";
export function createApp() {
const app = express();
app.set("trust proxy", 1);
app.use(rateLimit({
windowMs: 60_000,
limit: 120,
standardHeaders: true,
legacyHeaders: false,
}));
return app;
}Bad Code
src/app.tsimport express from "express";
import { rateLimit } from "express-rate-limit";
export function createApp() {
const app = express();
app.set("trust proxy", true);
app.use(rateLimit({ windowMs: 60_000, limit: 10_000 }));
return app;
}Review Notes
What to review
Bad Code
The bad version trusts every proxy hop and sets a limit so high that the control is mostly decorative.
Takeaways
- Rate limiting should use a deliberate client identity, especially behind proxies.