Rate Limiting on Firebase Hosting

Question

I've been searching for ways to rate limit requests by IP, but was not able to find any resources. Basically what I'm looking is a way to implement firewall logic. I know that I can limit authenticated user requests with database rules, but how do I go about limiting page hits? For example I only want to allow 150 requests per minute for each IP. Is there any way to do this? Otherwise, wouldn't it be easy to attack small businesses who are on Blaze plan?

Answer 1

It seems to be the current rate limit is to use some middleware like express-rate-limiter. Then in your server.ts (or .js if JavaScript) file you can do as follows:

import * as express from 'express';
import * as rateLimit from 'express-rate-limit';

const server: Express = express(); 

server.set('trust proxy', 1); // Enable because the application is behind reverse proxy (Firebase).
server.use(
  rateLimit({
    max: 100, // Max 100 connections per windowMs can be done before sending HTTP 429 (Too Many Requests) response code. After 100 requests within 15 minutes block the IP.
    message:
      'This IP has been temporarily blocked due to too many requests, please try again later.',
    windowMs: 15 * 60 * 1000 // In milliseconds, keep records of requests in memory for 15 minutes.
  })
);

Alternatively, if you don't want to block the IP, rather slow it down use express-slow-down.

Answer 2

Firebaser here.

There is currently no way to rate-limit based on IP address with Firebase Hosting. Our CDN partner includes some built-in protection against (D)DoS attacks, but this is not presently configurable.

We find that this generally isn't a problem. If you do run into usage that you suspect is abuse, please reach out to Firebase support and we'll work with you to resolve the situation to everyone's satisfaction.