🔐Protecting against Brute Force Attacks in Node.js Express

1. Introduction

Brute force attacks are a common security threat in the world of web development. They consist of systematically trying all possible combinations of characters to crack a password or access a restricted area. In this article, we'll provide a comprehensive guide on how to protect your Node.js Express applications against brute force attacks.

1.1 What is a Brute Force Attack?

A brute force attack is a method used by attackers to gain unauthorized access to a system by systematically trying all possible combinations of usernames and passwords until the correct one is found. This type of attack can be time-consuming and resource-intensive, but it can also be successful if the targeted system lacks proper security measures.

1.2 Node.js Express Overview

Node.js Express is a popular web application framework for building scalable and maintainable applications. It simplifies the development process by providing a layer of abstraction over the native Node.js HTTP module, enabling developers to create robust applications with minimal code.

2. Identifying Brute Force Attacks

In order to protect your application against brute force attacks, you first need to identify the signs of an ongoing attack. Here are some common indicators:

2.1 Unusually High Number of Failed Login Attempts

A sudden increase in failed login attempts may signal a brute force attack. Monitoring login attempts and setting up alerts can help you identify this type of activity.

2.2 Unusual Patterns of Requests

Brute force attackers often use automated scripts to send requests at a rapid pace. Unusual request patterns, such as a sudden spike in traffic or requests coming from a single IP address, can be an indicator of a brute force attack.

2.3 IP Address Reputation

Attackers may use IP addresses known for malicious activities. Monitoring and blocking traffic from such IPs can help protect your application from brute force attacks.

3. Implementing Security Measures

To safeguard your Node.js Express application from brute force attacks, you need to implement various security measures. We'll cover the following techniques:

3.1 Rate Limiting

Rate limiting restricts the number of requests a client can make within a specific time frame. It prevents automated scripts from flooding your server with requests, which can exhaust resources and lead to successful brute force attacks.

3.1.1 Express-rate-limit Middleware

Express-rate-limit is a middleware for Express that enables rate limiting. To use it, install the package:

npm install express-rate-limit

Then, configure and apply it to your application:

const rateLimit = require('express-rate-limit');

const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 100, // limit each IP to 100 requests per windowMs


Adjust the windowMs and max options to fit your application's needs.

3.2 Captchas

Captchas require users to solve a challenge, such as identifying objects in an image or solving a simple mathematical problem. They help differentiate between humans and bots, making it harder for attackers to use automated scripts in brute force attacks.

3.2.1 Implementing Google reCAPTCHA

Google's reCAPTCHA service is a popular captcha solution. To implement it in your Node.js Express application, follow these steps:

  • Register your application on the reCAPTCHA website and obtain the API keys.
  • Install the google-recaptcha package:
npm install google-recaptcha
  • Add the reCAPTCHA client-side code to your login form:
  <script src="https://www.google.com/recaptcha/api.js" async defer></script>
    <!-- Your form fields -->
    <div class="g-recaptcha" data-sitekey="YOUR_SITE_KEY"></div>
    <button type="submit">Submit</button>
  • Verify the reCAPTCHA response server-side:
const GoogleRecaptcha = require('google-recaptcha');
const recaptcha = new GoogleRecaptcha({secret: 'YOUR_SECRET_KEY'});

app.post('/login', (req, res) => {
  const recaptchaResponse = req.body['g-recaptcha-response'];
  recaptcha.verify({response: recaptchaResponse}, (error) => {
    if (error) {
      // Invalid or expired reCAPTCHA response
      res.status(400).json({error: 'Invalid captcha'});
    } else {
      // Continue with your login logic

3.3 Account Lockouts

Locking out an account after a certain number of failed login attempts is another effective measure against brute force attacks. However, it's important to strike a balance between security and usability, as excessive lockouts may frustrate legitimate users.

3.3.1 Implementing Account Lockouts

To implement account lockouts, you'll need to track the number of failed login attempts for each user. Consider using a database or an in-memory store like Redis for this purpose. Heree's an example using Redis:

Install the redis package:

npm install redis

Set up Redis and track failed login attempts:

const redis = require('redis');
const client = redis.createClient();

app.post('/login', (req, res) => {
  const {username, password} = req.body;

  // Check if the account is locked
  client.get(`lockout:${username}`, (err, lockout) => {
    if (lockout) {
      return res.status(429).json({error: 'Account locked'});

    // Check the provided credentials
    authenticate(username, password, (err, success) => {
      if (success) {
        // Reset the failed login attempts counter

        // Continue with your login logic
      } else {
        // Increment the failed login attempts counter

        // Check if the limit has been reached
        client.get(`failed:${username}`, (err, attempts) => {
          if (attempts >= 5) {
            // Lock the account for 30 minutes
            client.setex(`lockout:${username}`, 30 * 60, 1);

        res.status(401).json({error: 'Invalid credentials'});

Adjust the lockout duration and the maximum number of failed attempts as needed.


Protecting your Node.js Express application against brute force attacks is essential to ensure the security and integrity of your system. By implementing security measures like rate limiting, captchas, and account lockouts, you can significantly reduce the risk of unauthorized access. Stay vigilant and keep your application up-to-date with the latest security practices to maintain a safe and secure environment for your users.

Mình hy vọng bạn thích bài viết này và học thêm được điều gì đó mới.

Donate mình một ly cafe hoặc 1 cây bút bi để mình có thêm động lực cho ra nhiều bài viết hay và chất lượng hơn trong tương lai nhé. À mà nếu bạn có bất kỳ câu hỏi nào thì đừng ngại comment hoặc liên hệ mình qua: Zalo - 0374226770 hoặc Facebook. Mình xin cảm ơn.

Momo: NGUYỄN ANH TUẤN - 0374226770

TPBank: NGUYỄN ANH TUẤN - 0374226770 (hoặc 01681423001)


All Rights Reserved

Let's register a Viblo Account to get more interesting posts.