Security Guides

Rate Limiting in Next.js: Why Most AI-Generated Apps Are Vulnerable

SecuriSky TeamApril 9, 202610 min read

Introduction to Rate Limiting in Next.js

Rate limiting is a critical security feature that prevents an application from being overwhelmed by a large number of requests. Most AI-generated apps built with frameworks like Cursor, Lovable, Bolt, v0, or Replit are vulnerable to rate limiting issues because they often lack proper implementation. In a typical Next.js application, rate limiting can be achieved using middleware functions that track and limit the number of incoming requests.

To understand why rate limiting is essential, consider a scenario where an attacker sends a large number of requests to your application in a short period, causing it to become unresponsive or even crash. This is known as a denial-of-service (DoS) attack. By implementing rate limiting, you can prevent such attacks and ensure your application remains available to legitimate users.

Implementing Rate Limiting in Next.js

To implement rate limiting in a Next.js application, you can use a middleware function that tracks the number of incoming requests and blocks requests that exceed a certain limit. Here is an example of how you can implement rate limiting using the next-api-route package:

import { NextApiRequest, NextApiResponse } from 'next';

import rateLimit from 'next-api-route';



const limiter = rateLimit({

  window: 1, // 1 minute
  max: 100, // 100 requests per window

});



const handler = async (req: NextApiRequest, res: NextApiResponse) => {

  await limiter(req, res);
  if (res.statusCode === 429) {
    return res.json({ error: 'Rate limit exceeded' });
  }
  // Handle request

};



export default handler;

In this example, the rateLimit function is used to create a middleware function that tracks the number of incoming requests and blocks requests that exceed the limit.

Using a Token Bucket Algorithm

Another approach to implementing rate limiting is to use a token bucket algorithm. This algorithm works by adding tokens to a bucket at a fixed rate, and each request consumes one token. If the bucket is empty, the request is blocked. Here is an example of how you can implement a token bucket algorithm in Next.js:

import { NextApiRequest, NextApiResponse } from 'next';


class TokenBucket {

  private tokens: number;
  private lastUpdate: number;
  private rate: number;

  constructor(rate: number, capacity: number) {
    this.tokens = capacity;
    this.lastUpdate = Date.now();
    this.rate = rate;
  }

  public consume(): boolean {
    const now = Date.now();
    const elapsed = now - this.lastUpdate;
    this.tokens = Math.min(this.tokens + elapsed * this.rate / 1000, 100);
    this.lastUpdate = now;
    if (this.tokens < 1) {
      return false;
    }
    this.tokens -= 1;
    return true;
  }

}



const bucket = new TokenBucket(10, 100); // 10 tokens per second, 100 capacity



const handler = async (req: NextApiRequest, res: NextApiResponse) => {

  if (!bucket.consume()) {
    return res.status(429).json({ error: 'Rate limit exceeded' });
  }
  // Handle request

};



export default handler;

In this example, the TokenBucket class is used to implement a token bucket algorithm that adds tokens to a bucket at a fixed rate and consumes one token for each request.

Using SecuriSky to Detect Rate Limiting Issues

SecuriSky is a security scanner that can help you detect rate limiting issues in your AI-generated apps. By using SecuriSky, you can identify potential vulnerabilities in your application and take steps to fix them before they are exploited by attackers.

Example of a Rate Limiting Attack

To illustrate the importance of rate limiting, consider an example of a rate limiting attack. Suppose an attacker sends 1000 requests to your application in a short period, causing it to become unresponsive. This can be achieved using a tool like curl:

for i in {1..1000}; do
  curl -X GET http://example.com/api/endpoint

done

If your application does not have proper rate limiting in place, it may become unresponsive or even crash under such an attack.

Best Practices for Implementing Rate Limiting

To ensure that your application is properly protected against rate limiting attacks, follow these best practices:

* Implement rate limiting at the application level, rather than relying on external services or libraries.

* Use a combination of IP blocking and rate limiting to prevent attacks from multiple IP addresses.

* Monitor your application's traffic and adjust your rate limiting settings accordingly.

* Use a security scanner like SecuriSky to detect potential vulnerabilities in your application.

Quick Fix Checklist

  • [ ] Implement rate limiting using a middleware function or token bucket algorithm
  • [ ] Set a reasonable rate limit (e.g. 100 requests per minute)
  • [ ] Monitor application traffic and adjust rate limiting settings as needed
  • [ ] Use a security scanner to detect potential vulnerabilities
  • [ ] Implement IP blocking to prevent attacks from multiple IP addresses
    • Back to Blog
    Next.js Rate Limiting — SecuriSky Blog