HTTP request handlers should not perform expensive operations such as accessing the file system, executing an operating system command or interacting with a database without limiting the rate at which requests are accepted. Otherwise, the application becomes vulnerable to denial-of-service attacks where an attacker can cause the application to crash or become unresponsive by issuing a large number of requests at the same time.

A rate-limiting middleware should be used to prevent such attacks.

The following example shows an Express application that serves static files without rate limiting:

To prevent denial-of-service attacks, the express-rate-limit package can be used:

OWASP: Denial of Service Cheat Sheet.

Wikipedia: Denial-of-service attack.

NPM: express-rate-limit.