Express middleware for mitigating brute-force attacks

Downloads in past


0.2.08 years ago10 years agoMinified + gzip package size for express-bouncer in KB


Express Bouncer
NPM version

A simple and standalone middleware for express routes which attempts to mitigate brute-force attacks. It works by increasing the delay with each failed request using a Fibonacci formula. Requests are tracking via IP address and can be white-listed or reset on demand. All logged addresses are stored locally in an object and dormant addresses are removed automatically. Error messages are also completely customizable. This project is based on express-brute created by Adam Pflug.


```shell $ npm install express-bouncer ```

Quick Start

```js // Creates a new instance of our bouncer (args optional) var bouncer = require ("express-bouncer")(500, 900000); // Add white-listed addresses (optional) bouncer.whitelist.push (""); // In case we want to supply our own error (optional) bouncer.blocked = function (req, res, next, remaining) {
res.send (429, "Too many requests have been made, " +
"please wait " + remaining / 1000 + " seconds");
}; // Route we wish to protect with bouncer middleware ("/login", bouncer.block, function (req, res) {
if (LoginFailed)
// Login failed
bouncer.reset (req);
// Login succeeded
}); // Clear all logged addresses // (Usually never really used) bouncer.addresses = { }; ```



```js express-bouncer (min, max, free) ```
  • min The minimum number of milliseconds the user can be forced to wait. (default: 500 ms)
  • max The maximum number of milliseconds the user can be forced to wait. (default: 10 min)
  • free The number of attempts a user can make before being forced to wait. (default: 2)


  • reset Resets the wait time between attempts for the specified request.
  • block Middleware that will block requests which are occurring too often.


  • addresses A list of logged IP addresses. Cleared by overriding with new object.
  • whitelist A list of white-listed IP addresses. These addresses will never be blocked.
  • blocked Function to be called when a request has been blocked. (see quick start)


  • Email: