Implementing Rate Limiting in Next.js Middleware with Redis for API Security

User avatar placeholder
Written by Tamzid Ahmed

June 1, 2026

API security threats like DDoS attacks and brute-force attempts are escalating, making rate limiting a critical defense layer. In Next.js applications, implementing rate limiting at the middleware level with Redis ensures robust protection without sacrificing performance.

Why Rate Limiting Matters for API Security

Unrestricted APIs are prime targets for abuse. Attackers can overwhelm servers with excessive requests, leading to downtime, data breaches, or cloud cost overruns. According to OWASP, rate limiting is a top mitigation strategy for API vulnerabilities. Without it, even well-secured endpoints become vulnerable to automated threats.

Choosing the Right Redis Solution for Next.js Middleware

Next.js middleware runs on edge servers, so traditional Redis clients won’t work. Upstash provides a serverless Redis service compatible with edge environments, making it ideal for this use case. Its global network ensures low latency while eliminating infrastructure management overhead.

Key Considerations

  • Edge compatibility: Must support edge runtime in Next.js
  • Low latency: Global Redis nodes reduce response times
  • Easy setup: No infrastructure management required

Step-by-Step Implementation Guide

Follow these steps to integrate Upstash Redis rate limiting into your Next.js middleware:

1. Set Up Upstash Redis

Create an account at Upstash and note your Redis URL and token. Install the required packages:

  1. Run npm install @upstash/redis @upstash/ratelimit

2. Configure Environment Variables

Add these to your .env.local file:

UPSTASH_REDIS_REST_URL="your-upstash-url"
UPSTASH_REDIS_REST_TOKEN="your-upstash-token"

3. Create the Rate Limiter Instance

In your middleware file (middleware.ts), initialize the Redis client and rate limiter:

import { Ratelimit } from "@upstash/ratelimit";
import { Redis } from "@upstash/redis";

const redis = new Redis({
  url: process.env.UPSTASH_REDIS_REST_URL,
  token: process.env.UPSTASH_REDIS_REST_TOKEN,
});

const rateLimiter = new Ratelimit({
  redis,
  limiter: Ratelimit.slidingWindow(5, "1 s"), // 5 requests per second
});

4. Integrate into Middleware

Use the rate limiter in your middleware function:

export default async function middleware(req: NextRequest) {
  const ip = req.ip || "127.0.0.1";
  const { success } = await rateLimiter.limit(ip);
  if (!success) {
    return new Response("Too many requests", { status: 429 });
  }
  return NextResponse.next();
}

Configuring Rate Limit Rules and TTLs

Adjust the sliding window parameters based on your needs. For example:

  • Public endpoints: 10 requests per 10 seconds
  • Authenticated users: 100 requests per minute
  • Admin endpoints: 50 requests per hour

Use TTL configuration to automatically expire old request records and optimize Redis memory usage.

Testing and Monitoring Your Rate Limiter

Use curl to simulate requests:

curl -H "X-Forwarded-For: 192.0.2.1" http://localhost:3000/api/endpoint

Monitor usage via Upstash’s dashboard to detect anomalies. Real-time metrics help fine-tune thresholds before traffic spikes impact your application.

Best Practices and Common Pitfalls

When implementing rate limiting:

  • Use X-Forwarded-For header for real client IPs behind proxies
  • Combine with JWT authentication for user-specific limits
  • Avoid hardcoding limits; use environment variables for flexibility
  • Test with real-world traffic patterns before deployment

Conclusion

Implementing Redis-based rate limiting in Next.js middleware is essential for securing APIs against abuse while maintaining performance. By leveraging Upstash’s edge-compatible Redis, developers can enforce precise request controls without compromising serverless efficiency. Start by testing your rate limiter with real traffic patterns and adjust thresholds based on observed usage. Remember: proactive security measures like this are the foundation of resilient applications.

Leave a Comment