Learn how to implement rate limiting middleware in Express for efficient resource management in your server.

Safeguarding Your Server: Adding Rate Limit Configuration

[00:00] Because we want this rate limit to apply before we even get into our Remix code, so we want to use as few resources as possible to handle these rate limits before we get into our Remix stuff, this is all going to happen before Remix is even called. So this will happen in our server index file right here. So this is our Express server.

[00:17] We have a couple static files, stuff where we're compressing responses, all this stuff. This is all stuff that is like, it's really fast, it's not a problem, and in fact users will be making requests to get static resources a lot anyway, so I don't think we want to rate limit them. So we'll do this after all that stuff, but before we get into the real

[00:37] resource intensive stuff like database queries and stuff where we jump into the Remix stuff. So right here is a pretty good place to add our middleware for rate limiting. So we'll say app.use and we'll say rate limit, and that's going to come from Express Rate Limit, and then we'll configure it as we have laid out here. So

[00:56] window.ms, that's going to be a 60 second window. So as time moves forward, our window moves forward, right? I'm not sure which way looks more natural to you, but as time moves forward, we're going to be moving forward on our window, and as long as there are less than the number of our max

[01:12] requests in that window, then they're good to go. So then we are going to set our max, we'll set it to a thousand. This is probably a little much, we probably wouldn't catch somebody hitting the refresh button a bajillion times. So you're going to be adjusting this based on the needs of your specific application.

[01:31] This will vary widely based on whether you're integrating with a third party and they're making requests for a bunch of different users, or you're just a regular web app and you're accepting regular traffic. So maybe a thousand might be a little bit much for our particular use case, but the other thing is you don't want to get in the way of

[01:48] regular users either. So it's definitely a balance and a trade-off. So then we're going to add our standard headers and disable the legacy headers. So there are the standard headers for communicating the rate limit. This can be very useful, especially if you're integrating with a third party and they're talking to your APIs. You want to be able to let them know, hey, you're hitting, like you're getting

[02:08] close to your rate limit, or here's how much you've got left. So those headers are actually quite useful. And then the legacy headers are unnecessary because we've got the standard headers. And with that, we now have our rate limit. Now, this is going to be really difficult to reproduce because of our max.

[02:24] So I'm actually going to lower it down to five so that we can test out what it actually looks like. So I go one, two, three, four, five, and then six. And we got too many requests. Please try again later. You can, of course, customize this page, but it's,

[02:40] yeah, feel free to if that's something that you are into. Okay, so that we do have this one last bit, and that is to make sure that when process ENV testing is defined, we just have a very, very large limit. So that, like, I want to keep the

[02:58] rate limit middleware in there because I want my testing to go through that. But I don't want to ever have my tests be rate limited because my tests are, they actually are bots. And so they are okay to hit my server a lot. And so that's what we're going to do right here. We're going to say our

[03:15] max multiple is equal to, if we are testing, let's do, like, something outrageous like 10,000. Otherwise, it's one. And then we'll multiply our max by the max multiple. And that way, when we're running in our tests, we're going to basically never hit that maximum. But in production, we

[03:34] definitely potentially could. And so here, now I can hit it a bunch of times and it will work just fine. So that is our initial rate limit. That's a good, like, baseline that will help protect the rest of your app from getting hit a bunch of different

[03:51] times from bots. Now, there are a lot of hosts that you can use to deploy your application that will handle the, like, just general DDoS attacks and stuff like that, where they just send a swarm of bots to you and all that stuff. They typically will protect you from

[04:09] this sort of thing. But, yeah, having this built in yourself can be really helpful to handle those kinds of attacks as well. It's a good idea to put in place. And it's especially a good idea to put in place for some of your more sensitive endpoints, which we'll do in a future step. But that's getting us

[04:28] started with a pretty straightforward rate limit middleware.

Optimizing Your Express Server with Rate Limiting Middleware

[00:00] There's no situation in the world where it would make sense for somebody to sit here and go refresh about a bajillion times in a minute. That just wouldn't make any sense. They're probably trying to do a denial-of-service attack or something, and the fewer resources we can allocate to somebody doing something

[00:17] like this, the better. So I'm just going to keep going because we haven't implemented this yet. So what we're going to be doing in this exercise is adding a single rate limit configuration so that we can make sure that users cannot hit our servers a bajillion times unnecessarily. We're going to go with

[00:36] something a little bit more reasonable for the types of GET requests people are going to be making. Now people, of course, they're going to be navigating to a bunch of different pages and stuff, and so you do want to be reasonable with the rate limiting that you've got. But yeah, anybody who's doing something like this

[00:52] probably should get rate limited. We should be like, whoa, slow down, before we even let them into our actual AppLogic. So we're going to add the express rate limit middleware so that we can stick that in place before we get into our AppLogic to save our servers a little bit of the work of handling all these

[01:10] GET requests. So have a good time. We'll see you when you're done.

Forms are the primary mechanism for interactivity on the web.

But for all of their importance, forms can be incredibly frustrating for developers and users alike.

There are a lot of moving parts to consider: 

You need to validate user input and handle complex data structures, while being secure from bots and data-stealing attacks. The UI should inform users of any issues as quickly as possible, and be accessible for all.

The Professional Web Forms Workshop will equip you with the tools to handle all of these challenges and more.

## Form Validation

HTML has several attributes built-in that help with form element validation. Unfortunately, they're not enough on their own. On the client-side, bad actors can bypass checks by manually adding the `novalidate` attribute or making requests directly. On the server side, there's no standard way to respond to validation errors other than a generic 400 status code.

In this section, you'll implement a base level of form validation:

- Essential HTML attributes for validation
- Server-side validation with JSON responses
- Displaying errors with the `useActionData` hook
- Disabling default browser validation messages with `useHydrated`

## Accessibility

Accessibility is often an afterthought, but should be a priority. While forms are just one part of the accessibility equation, they're a big one. In this section, you'll learn how to make sure your forms accessible and usable by all of your application's users:

- Properly associating labels with input fields
- Adding appropriate ARIA attributes when necessary
- Manage keyboard focus in response to errors and user interactions
- Creating and using a `useFocus` hook to direct the user’s focus
- Considerations for accessibility testing

## Schema-Based Validation

Manually writing conditional checks for every field in every form is tedious and error-prone: *Is there content in the field? Is it the right type? Is it within the acceptable range? There must be a better way!*

Fortunately, the combination of the Zod and Conform libraries makes it easy to define reusable declarative schemas to validate form data on the client and server:

- Safely replace HTML validation attributes with schemas
- Zod error handling & message customization
- Progressively enhanced validation with Conform
- Share type-safe validation logic between client and server

## File Uploads

Forms need to support more than just text. Images, videos, audio files, and other documents need a different type of input. Depending on the size of the file, you'll have considerations for how and where it is uploaded. In this section, you'll learn how to handle file uploads in a secure and efficient way:

- Uploading images from an `ImageChooser` component
- Handling file uploads on the server
- Schema validation for file uploads with Zod

## Complex Data Structures

The `FormData` API does not support representing objects or arrays– only key/value pairs. It also won't allow you to nest forms within each other. This makes representing complex data structures difficult without jumping through some hoops. Luckily for us, Conform has a great solution when your forms get complex. Here you'll practice:

- Infer field types with Zod
- Nesting objects as a form
- Represent arrays of fields with the `useFieldList` utility
- Add and remove items with Conform's `intent` buttons

## Spam Prevention with Honeypots

Spam bots are constantly crawling the web, looking for forms to submit junk data to boost their client’s search engine rankings and find holes in your security. This can strain server resources, contaminate databases, and cause other unforeseen consequences. One way to combat this is by using a "honeypot", which will prevent a form from being submitted by a bot. This section will teach you how to:

- Create a simple hidden-field validation
- Add a configurable honeypot instance to an action
- Prevent form submissions that are too fast
- Use environment variables for encryption seeds

## CSRF Protection

Cross-Site Request Forgery (CSRF) attacks are a type of malicious exploit where a user is tricked into performing an action they did not intend to. This is usually done by embedding a link or form in a page that the user is already authenticated to. Think of a user logged into their bank account clicking a link that transfers money from their bank account to the attacker's. To prevent this type of attack, you'll want to:

- Create a signed cookie in the user's browser
- Include unique user tokens in forms
- Validate tokens on the server via request headers

## Rate Limiting

You definitely want to prevent bad actors from making tons of requests to try to brute-force their way into your app or cause general chaos. However, malicious intent and spam aren't the only reasons you need to protect your site. Even too many legitimate requests can cause problems. Rate limiting is a way to prevent users from overloading your server with requests. Here you'll learn:

- Considerations for different limits for `GET` vs. `POST` requests
- Implementing basic rate limiting with Express middleware
- Tiered rate limiting depending on which form is being submitted

The Professional Web Forms Workshop will equip you for building complex, fully accessible forms that handle validation and file uploads while preventing spam.

Professional Web Forms

Kent C. Dodds

Full Stack Vol 1

Intro to Professional Web Forms Workshop

Introduction to Workshop

Intro to Form Validation 

Discover the importance of validation in web apps. Learn to implement required field validation for data integrity and UX enhancement.

Leverage HTML attributes for form validation, enhancing UX and accessibility. Explore browser validation and screen reader integration for user guidance.

Form Validation for Accessibility

Required Field Validation for User Input

Implement server-side validation to enhance security and user assistance, preventing client-side bypass. Customize error messages for a seamless design.

Master server-side form validation for data integrity and user-friendly error messages. Enhance UX by securely validating input before server processing.

Server-Side Form Validation and Error Handling

Server-side Validation and Custom Error Messages

Prevent incorrect form submissions pre-JavaScript with novalidate attribute using useHydrated hook. Elevate UX, maintain data integrity.

Optimize form validation with 'useHydrated' hook for client-side hydration. Enhance UX with browser-built and server-side validation synergy.

Form Validation with Client-Side Hydration

Dynamic Error Validation with Hooks

Dad Joke Break From Validation

Form Validation

Intro to Accessibility

Learn how to troubleshoot and fix issues with a non-functioning reset button and accessibility problems in a web form.

Learn how to properly associate buttons and form elements, such as the reset button, with their respective forms for improved functionality and accessibility.

Improving Accessibility and Form Associations

Fixing Form Reset Button and Accessibility Issues

Associate error messages with input fields via ARIA attributes for precise screen reader notifications. Learn about semantic HTML and ARIA for accessibility.

Use ARIA attributes like ARIA invalid & describedby. Link error messages to inputs for improved screen reader support, aiding assistive tech users.

Accessible Forms with ARIA Attributes

Error Messages and Accessibility with ARIA Attributes

Enhance app accessibility & UX with focus management: auto-focus error fields, programmable forms, & better editing. Create an inclusive, user-friendly app.

Enhance React app accessibility and UX: auto-focus form inputs and navigate to error messages for improved handling of form errors.

Managing Focus for Form Errors

Focus Management for Better User Experience

Dad Break Joke Accessibility

Accessibility

Intro to Schema Validation

Optimize development with Zod schema validation. Boost efficiency and code robustness, replacing custom logic for an enhanced developer experience. 

Learn how to implement schema validation using Zod in a note editor application. Discover how to define and enforce data

Schema Validation with Zod 

Schema Validation 

Data parsing with Conform's Conform utility. Apply server-side logic and streamline development with additional UI utilities for efficient form handling.

Improve UX & enable progressive enhancement: Replace form validation & error handling with powerful Zod utility in your app

 Form Submission and Error Handling with Conform & Zod

Form Data Parsing with Conform

Enhance UI with Conform's React utilities for end-to-end type safety. Leverage progressive enhancement for a fabulous development experience.

Eliminate custom code for better UX. Seamlessly manage form submission and client-side validation with Conform, ensuring robust server-side validation

Simplifying Form Handling with Conform and Schema Validation

Type Safety with Conform

Dad Joke Break Schema Validation

Schema Validation

Intro to File Upload

Add file upload to edit page for user-friendly image & file attachments. Handle uploads in Remix, enforcing size limits. 

Integrate image upload with form data and memory handling. Use image chooser, manage existing images, set encoding, size limit, and specify alt text. 

Image Upload with Form Data and Memory Upload Handling

File Upload Functionality 

Improve code quality and address TypeScript errors for a robust application, making Lily the life jacket (and yourself) happy.

Update schema for image ID, alt text, and file uploads. Master file validation with Zod for size restrictions and error handling on client & server sides. 

Validating File Uploads with Zod Schema in a Web Application

TypeScript Integration

Dad Joke Break File Upload

File Upload

Intro to Complex Structures 

Address challenges in grouping properties into sub-objects in forms, especially for multiple image uploads. Satisfy Zod's requirements for seamless integration.

Learn to add image field set schema to Zod schema, update HTML elements, and integrate with Conform for type safety and form functionality. 

Implementing Image Field Set with Conform and TypeScript

Grouping and Managing Related Fields in Form Objects

Update your app's schema for multiple images, adapt actions/components, and enable seamless addition/removal of multiple images for an enhanced user experience.

Master dynamic image lists with Qualifax: add and remove images effortlessly. Update schema, implement field sets, and iterate through image choosers with ease.

Dynamic Image Lists with Field Sets 

Multiple Image Uploading 

Dynamic image addition and deletion with alt text functionality, progressive enhancements, and input submission using Conform utilities in web development

Master dynamic button generation for form accessibility using Conform utilities. Modify field sets with list functions, explore progressive enhancement.

Dynamically Delete and Add Buttons

 Interactive Image Management

Dad Joke Break Complex Structures 

Complex Structures

Intro to Honeypot

Add a hidden input field honeypot to deter spam bots, enhance deliverability, and prevent spam issues. Explore additional tips for form security.

Boost sign-up form security with invisible honeypot fields to catch spam bots. Discover effective techniques for handling bot submissions in your app.

Honeypot Fields in Sign Up Forms

Adding a Honeypot to Protect Against Spam Bots

Protect your website from spam bots with automatic updates to Honeypot configurations.

Enhance security with Remix Utils Honeypot fields. Customize divs, ARIA, and server-side validation to deter spam. Best practices for errors and HTTP codes.

Honeypot Fields for Form Security

Honeypot Protection with `remix-utils`

Efficiently implement Honeypot security on forms: Transfer server data to client for reliable bot protection.

Implement honeypot protection: Create provider, configure props, render components, prevent quick form submission, thwart automated bots.

Honeypot Protection

Honeypots for Form Security 

Ensure consistent Honeypot encryption secret across servers and regions for form data integrity and conflict avoidance

Securely add honeypot secret to server validation, configure in local .env for data protection.

Setting Up Honeypot Security for Server Environment Variables

Consistent Encryption with Honeypot Server

Dad Joke Break Honeypot

Honeypot

Intro to CSRF

Implement CSRF protection: Generate tokens, set secure cookies, associate with clients, and use environment variables.

Implement Node.js CSRF utility: Generate tokens, secure cookies, prevent cross-site request forgery attacks.  

Creating and Managing CSRF Tokens With Node.js

CSRF Protection with Cookies 

Protect user data with authenticity tokens: Render, verify, and enhance user experience.

Secure forms with Authenticity Token input and CSRF validation for protection against tampering. Improve security and error responses.

Security with Authenticity Token and CSRF Validation

Authenticity With Token Protection 

Dad Joke Break CSRF

Cross-Site Request Forgery

Intro to Rate Limit 

Implement tiered rate limiting: Strong for sign-up/login, moderate for posts, and general defense. Custom middleware assigns tiers.

Professional Web Forms

Professional Web Forms

Transcript

Optimizing Your Express Server with Rate Limiting Middleware

Transcript