Skip Rate Limiting

Bypass rate limiting for certain requests using the skip option.

Basic Skip Function

Provide a function that returns true to skip rate limiting for a request.

hitlimit({
  limit: 100,
  window: '1m',
  skip: (req) => req.path === '/health'
})

Skip Specific Paths

Exclude multiple paths from rate limiting.

const skipPaths = ['/health', '/metrics', '/ready'];

hitlimit({
  limit: 100,
  window: '1m',
  skip: (req) => skipPaths.includes(req.path)
})

Skip Authenticated Users

Bypass rate limiting for trusted or authenticated users.

hitlimit({
  limit: 100,
  window: '1m',
  skip: (req) => req.user?.role === 'admin'
})

Skip Trusted IPs

Allow unlimited requests from internal or trusted IP addresses.

const trustedIPs = [
  '127.0.0.1',
  '10.0.0.0/8',
  '192.168.1.0/24'
];

hitlimit({
  limit: 100,
  window: '1m',
  skip: (req) => isTrustedIP(req.ip, trustedIPs)
})

Skip Certain Methods

Only rate limit specific HTTP methods.

hitlimit({
  limit: 100,
  window: '1m',
  skip: (req) => req.method === 'GET' // Only limit POST, PUT, DELETE
})

Async Skip Function

Use an async function when you need to check external sources.

hitlimit({
  limit: 100,
  window: '1m',
  skip: async (req) => {
    const apiKey = req.headers['x-api-key'];
    if (!apiKey) return false;

    const client = await getClient(apiKey);
    return client?.tier === 'unlimited';
  }
})

Combine Conditions

Use multiple conditions for more complex skip logic.

hitlimit({
  limit: 100,
  window: '1m',
  skip: (req) => {
    // Skip health checks
    if (req.path === '/health') return true;

    // Skip admin users
    if (req.user?.role === 'admin') return true;

    // Skip internal requests
    if (req.headers['x-internal'] === 'true') return true;

    return false;
  }
})