RateLimitOptions

The error message that should be returned in the body of the HTTP 429 response when the rate limit is hit. Default is Too many requests..

Optional, if true the rate limit will also apply to requests that are made in by Cloud Code, default is false. Note that a public Cloud Code function that triggers internal requests may circumvent rate limiting and be vulnerable to attacks.

Optional, if true the rate limit will also apply to requests using the masterKey, default is false. Note that a public Cloud Code function that triggers internal requests using the masterKey may circumvent rate limiting and be vulnerable to attacks.

Optional, the URL of the Redis server to store rate limit data. This allows to rate limit requests for multiple servers by calculating the sum of all requests across all servers. This is useful if multiple servers are processing requests behind a load balancer. For example, the limit of 10 requests is reached if each of 2 servers processed 5 requests.

The number of requests that can be made per IP address within the time window set in requestTimeWindow before the rate limit is applied.

Optional, the HTTP request methods to which the rate limit should be applied, default is all methods.

The path of the API route to be rate limited. Route paths, in combination with a request method, define the endpoints at which requests can be made. Route paths can be strings, string patterns, or regular expression. See: https://expressjs.com/en/guide/routing.html

The window of time in milliseconds within which the number of requests set in requestCount can be made before the rate limit is applied.

The type of rate limit to apply. The following types are supported:

- global: rate limit based on the number of requests made by all users
- ip: rate limit based on the IP address of the request
- user: rate limit based on the user ID of the request
- session: rate limit based on the session token of the request


:default: 'ip'