You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: content/security/rate-limiting.md
+35-2Lines changed: 35 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,13 +35,46 @@ Once the module has been imported, you can then choose how you would like to bin
35
35
36
36
There may be a time where you want to bind the guard to a controller or globally, but want to disable rate limiting for one or more of your endpoints. For that, you can use the `@SkipThrottle()` decorator, to negate the throttler for an entire class or a single route. The `@SkipThrottle()` decorator can also take in a boolean for if there is a case where you want to exclude _most_ of a controller, but not every route.
37
37
38
-
There is also the `@Throttle()` decorator which can be used to override the `limit` and `ttl` set in the global module, to give tighter or looser security options. This decorator can be used on a class or a function as well. The order for this decorator does matter, as the arguments are in the order of `limit, ttl`.
38
+
```typescript
39
+
@SkipThrottle()
40
+
@Controller('users')
41
+
exportclassUsersController {}
42
+
```
43
+
44
+
This `@SkipThrottle()` decorator can be used to skip a route or a class or to negate the skipping of a route in a class that is skipped.
45
+
46
+
```typescript
47
+
@SkipThrottle()
48
+
@Controller('users')
49
+
exportclassUsersController {
50
+
// Rate limiting is applied to this route.
51
+
@SkipThrottle(false)
52
+
dontSkip() {
53
+
return"List users work with Rate limiting.";
54
+
}
55
+
// This route will skip rate limiting.
56
+
doSkip() {
57
+
return"List users work without Rate limiting.";
58
+
}
59
+
}
60
+
```
61
+
62
+
There is also the `@Throttle()` decorator which can be used to override the `limit` and `ttl` set in the global module, to give tighter or looser security options. This decorator can be used on a class or a function as well. The order for this decorator does matter, as the arguments are in the order of `limit, ttl`. You have to configure it like this:
63
+
64
+
```typescript
65
+
// Override default configuration for Rate limiting and duration.
66
+
@Throttle(3, 60)
67
+
@Get()
68
+
findAll() {
69
+
return"List users works with custom rate limiting.";
70
+
}
71
+
```
39
72
40
73
#### Proxies
41
74
42
75
If your application runs behind a proxy server, check the specific HTTP adapter options ([express](http://expressjs.com/en/guide/behind-proxies.html) and [fastify](https://www.fastify.io/docs/latest/Reference/Server/#trustproxy)) for the `trust proxy` option and enable it. Doing so will allow you to get the original IP address from the `X-Forwarded-For` header, and you can override the `getTracker()` method to pull the value from the header rather than from `req.ip`. The following example works with both express and fastify:
0 commit comments