Express app without a rate limiter
Part of Security, which counts for 30% of the overall score. When this check fires it deducts 4 points from that category, once per scan, no matter how many places it turns up.
What it detects
An Express/Fastify server has no rate-limiting middleware dependency or usage, leaving login and API routes open to brute-force and abuse. Heuristic: not every service needs one.
Why it matters
With no rate limiter, login, password-reset, and API endpoints accept unlimited attempts from a single client, which makes credential stuffing and brute force cheap and lets one caller exhaust downstream resources. Public APIs without a limit are also easy to run up cost or degrade for everyone. This is a heuristic: an internal service behind a gateway that already limits may not need its own.
How to fix it
Add express-rate-limit and apply a global limiter, then a stricter one on auth routes: app.use(rateLimit({ windowMs, max })). Put the limiter behind a correctly configured trust proxy setting so per-IP counting works, and consider rate-limiter-flexible with Redis if you run multiple instances.
The paid report includes a ready-to-paste prompt for your AI coding agent for every check it finds, pointed at the exact findings from your scan. See pricing
Does your repo trip this check?
Paste a GitHub URL or drop a project folder. Scans run in your browser and take seconds.
Scan your repo