Will It Vibe logoWill It Vibe?
EXPRESS-002Low severity-4 points

Express app without a rate limiter

Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.

What it detects

An Express/Fastify server has no rate-limiting middleware dependency or usage, leaving login and API routes open to brute-force and abuse. Heuristic: not every service needs one.

Why it matters

With no rate limiter, login, password-reset, and API endpoints accept unlimited attempts from a single client, which makes credential stuffing and brute force cheap and lets one caller exhaust downstream resources. Public APIs without a limit are also easy to run up cost or degrade for everyone. This is a heuristic: an internal service behind a gateway that already limits may not need its own.

How to fix it

Add express-rate-limit and apply a global limiter, then a stricter one on auth routes: app.use(rateLimit({ windowMs, max })). Put the limiter behind a correctly configured trust proxy setting so per-IP counting works, and consider rate-limiter-flexible with Redis if you run multiple instances.

The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing

Does your repo trip this check?

Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.

Scan your repo

Related Security checks