api-rate-limiting

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

API Rate Limiting

API限流

Protect APIs from abuse using rate limiting algorithms with per-user and per-endpoint strategies.

通过基于用户和端点的限流算法保护API免受滥用。

Algorithms

算法

Algorithm	Pros	Cons
Token Bucket	Handles bursts, smooth	Memory per user
Sliding Window	Accurate	Memory intensive
Fixed Window	Simple	Boundary spikes

算法	优点	缺点
Token Bucket	处理突发流量，平滑稳定	每个用户占用内存
Sliding Window	统计准确	内存消耗大
Fixed Window	实现简单	边界处流量突增

Token Bucket (Node.js)

Token Bucket（Node.js）

javascript

class TokenBucket {
  constructor(capacity, refillRate) {
    this.capacity = capacity;
    this.tokens = capacity;
    this.refillRate = refillRate; // tokens per second
    this.lastRefill = Date.now();
  }

  consume() {
    this.refill();
    if (this.tokens >= 1) {
      this.tokens--;
      return true;
    }
    return false;
  }

  refill() {
    const now = Date.now();
    const elapsed = (now - this.lastRefill) / 1000;
    this.tokens = Math.min(this.capacity, this.tokens + elapsed * this.refillRate);
    this.lastRefill = now;
  }
}

javascript

class TokenBucket {
  constructor(capacity, refillRate) {
    this.capacity = capacity;
    this.tokens = capacity;
    this.refillRate = refillRate; // tokens per second
    this.lastRefill = Date.now();
  }

  consume() {
    this.refill();
    if (this.tokens >= 1) {
      this.tokens--;
      return true;
    }
    return false;
  }

  refill() {
    const now = Date.now();
    const elapsed = (now - this.lastRefill) / 1000;
    this.tokens = Math.min(this.capacity, this.tokens + elapsed * this.refillRate);
    this.lastRefill = now;
  }
}

Express Middleware

Express中间件

javascript

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100,
  standardHeaders: true,
  message: { error: 'Too many requests, try again later' }
});

app.use('/api/', limiter);

javascript

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100,
  standardHeaders: true,
  message: { error: 'Too many requests, try again later' }
});

app.use('/api/', limiter);

Response Headers

响应头

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1705320000
Retry-After: 60

X-RateLimit-Limit: 100
X-RateLimit-Remaining: 45
X-RateLimit-Reset: 1705320000
Retry-After: 60

Tiered Limits

分层限流

Tier	Requests/Hour
Free	100
Pro	1,000
Enterprise	10,000

套餐层级	每小时请求数
Free	100
Pro	1,000
Enterprise	10,000

Best Practices

最佳实践

Use Redis for distributed rate limiting
Include proper headers in responses
Return 429 status with Retry-After
Implement tiered limits for different plans
Monitor rate limit metrics
Test under load

使用Redis实现分布式限流
在响应中包含合适的头信息
返回429状态码并附带Retry-After字段
为不同套餐实现分层限流
监控限流指标
进行负载测试