Overview
The TestDog API implements a comprehensive rate limiting system to protect against abuse, DDoS attacks, and to ensure fair usage of resources.
Technology Stack
-
express-rate-limit: Core rate limiting library
-
rate-limit-redis: Redis store adapter for distributed rate limiting
-
Redis: Primary storage for rate limit counters (with fallback)
-
Memory Store: Fallback when Redis is unavailable
Rate Limiting Rules
The TestDog API applies different rate limits to various endpoints based on their sensitivity and expected usage patterns.
Global Rate Limiting
All API endpoints are protected by a global rate limiter:
-
Limit: 100 requests per 15 minutes per IP address
-
Purpose: Broad protection against general API abuse
Registration Endpoints
User registration is strictly rate limited to prevent abuse:
-
Endpoint:
POST /api/v1/auth/register -
Limit: 5 requests per minute per IP address
-
Purpose: Prevents automated account creation and spam
Authentication Endpoints
Login and other authentication routes have moderate rate limiting:
-
Endpoints: Login, password reset, email verification
-
Limit: 20 requests per 15 minutes per IP address
-
Purpose: Protects against brute force attacks while allowing legitimate retries
Rate Limit Response
Error Response Format
When rate limits are exceeded, the API returns a standardized error response:
{
"status": "error",
"statusCode": 429,
"message": "Too many registration attempts from this IP, please try again in a minute.",
"details": {
"retryAfter": "60 seconds",
"maxRequests": 5,
"windowMs": 60000,
"ip": "192.168.1.1",
"timestamp": "2025-06-16T10:30:00.000Z"
}
}
Rate Limit Summary
Endpoint Type | Time Window | Request Limit |
|---|---|---|
All Endpoints | 15 minutes | 100 requests |
Registration | 1 minute | 5 requests |
Authentication | 15 minutes | 20 requests |