I've been searching for ways to rate limit requests by IP, but was not able to find any resources. Basically what I'm looking is a way to implement firewall logic. I know that I can limit authenticated user requests with database rules, but how do I go about limiting page hits? For example I only want to allow 150 requests per minute for each IP. Is there any way to do this? Otherwise, wouldn't it be easy to attack small businesses who are on Blaze plan?
The limit you're referring to is the limit for the number of concurrently connected users to Firebase Realtime Database on the free Spark plan. Once you upgrade to a payment plan, your project will allow 200,000 simultaneously connected users.
Firebase Realtime Database allows for 100 simultaneous connections, 1 GB stored, and 10 GB per month downloaded on the free tier.
Firebase for mobile app development is scalable and accessible from client devices.
It seems to be the current rate limit is to use some middleware like express-rate-limiter. Then in your server.ts (or .js if JavaScript) file you can do as follows:
import * as express from 'express';
import * as rateLimit from 'express-rate-limit';
const server: Express = express();
server.set('trust proxy', 1); // Enable because the application is behind reverse proxy (Firebase).
server.use(
rateLimit({
max: 100, // Max 100 connections per windowMs can be done before sending HTTP 429 (Too Many Requests) response code. After 100 requests within 15 minutes block the IP.
message:
'This IP has been temporarily blocked due to too many requests, please try again later.',
windowMs: 15 * 60 * 1000 // In milliseconds, keep records of requests in memory for 15 minutes.
})
);
Alternatively, if you don't want to block the IP, rather slow it down use express-slow-down.
Firebaser here.
There is currently no way to rate-limit based on IP address with Firebase Hosting. Our CDN partner includes some built-in protection against (D)DoS attacks, but this is not presently configurable.
We find that this generally isn't a problem. If you do run into usage that you suspect is abuse, please reach out to Firebase support and we'll work with you to resolve the situation to everyone's satisfaction.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With