Introduction

hono-rate-limiter is a rate limiting middleware for Hono. It helps protect your application from abuse by limiting the number of requests a client can make within a specified time window.

Rate limiting is essential for:

• Preventing API abuse and DDoS attacks
• Ensuring fair usage across all clients
• Protecting server resources
• Complying with API usage policies

Installation

You can install the hono-rate-limiter package using your preferred package manager.

npm install hono-rate-limiter

Basic Usage

Here's a minimal example to get started with rate limiting:

import { Hono } from "hono";
import { rateLimiter } from "hono-rate-limiter";

const app = new Hono();

// Apply rate limiting middleware
app.use(
  rateLimiter({
    windowMs: 15 * 60 * 1000, // 15 minutes
    limit: 100, // Limit each client to 100 requests per window
    keyGenerator: (c) => c.req.header("x-forwarded-for") ?? "", // Use IP address as key
  })
);

app.get("/", (c) => c.text("Hello Hono!"));

export default app;

This configuration limits each client to 100 requests per 15-minute window. When a client exceeds the limit, they receive a 429 Too Many Requests response.

Understanding the Configuration

The three essential options are:

• windowMs: The time window in milliseconds for tracking requests (e.g., 15 minutes)
• limit: Maximum number of requests allowed per window
• keyGenerator: A function that returns a unique identifier for each client

Rate Limit Headers

By default, hono-rate-limiter sets standard rate limit headers on responses:

• RateLimit-Limit: The maximum number of requests allowed
• RateLimit-Remaining: The number of requests remaining in the current window
• RateLimit-Reset: The time (in seconds) until the rate limit resets
• RateLimit-Policy: The rate limit policy

These headers follow the IETF Rate Limit Headers specification (draft-6 by default).

Next Steps

• Learn about all Configuration Options
• Set up WebSocket Rate Limiting
• Choose a Data Store for production deployments