Rate Limiting

Application-level (in your code)

• ★ Upstash Ratelimit (@upstash/ratelimit) — sliding-window, fixed-window, token-bucket; works with Upstash Redis or Vercel KV. Generous free tier; the default for serverless / edge apps.
• hono-rate-limiter — Hono middleware; works with any storage.
• @nestjs/throttler — built-in NestJS module.
• express-rate-limit — long-running classic for Express.
• fastify-rate-limit — for Fastify.
• p-throttle, p-queue — client-side or in-process throttling.

Storage backends

• Redis / Upstash Redis / DragonflyDB — most common.
• Postgres with row-level counters — works fine for low-volume.
• Cloudflare Durable Objects — single-shard counter per limiter; ideal for Workers.
• Cloudflare Workers Rate Limiting API — built-in, configured in wrangler.toml.

Edge / platform-level (no app code)

• ★ Cloudflare Rate Limiting Rules — config-driven, free tier exists, great first line of defense.
• Vercel Firewall (formerly Vercel WAF) — built-in rate-limit + bot rules; free tier.
• AWS WAF, GCP Cloud Armor, Azure Front Door — cloud-provider WAFs.
• Nginx limit_req_zone, HAProxy stick-tables, Caddy rate_limit — self-host.

API gateways with rate limit

• Kong, Tyk, Apache APISIX — full API gateways, rate-limit included.

Pick this if…

• Serverless / edge app: Upstash Ratelimit (with Upstash Redis).
• All-Cloudflare: the built-in Workers Rate Limiting API + Cloudflare Rate Limiting Rules.
• Long-running Node: express-rate-limit or hono-rate-limiter + Redis.
• Self-host nginx in front: limit_req_zone.
• You just want it gone: put a Cloudflare or Vercel WAF rule in front.