Rate limiting
Rate limiting is supported at the Express level using express-rate-limit (opens in a new tab). Since Remix is ultimately just a route handler that can be deployed with Express, you can use any Express middleware, including rate limiting.
By default, there are different tiers of rate limiting for different routes.
- Auth routes (
/login,/reset-passwordetc) are limited to 10 requests per minute. - API routes (
/api/*) are limited to 100 requests per minute. - All other routes are limited to 300 requests per minute.
These can all be easily configured in the rate-limiters.js file.
If you are deploying your app using serverless, rate limiting will only work with an external date store (opens in a new tab) (e.g. Redis) since the default store is in-memory, which isn't shared across serverless executions.