Interlace ESLint
ESLint Interlace
NestJSRules

require-throttler

This rule detects NestJS controllers and route handlers that lack rate limiting, which can make the application vulnerable to brute-force and denial-of-service

Require ThrottlerGuard or @Throttle decorator for rate limiting

Rule Details

This rule detects NestJS controllers and route handlers that lack rate limiting, which can make the application vulnerable to brute-force and denial-of-service attacks.

OWASP Mapping

  • OWASP Top 10 2021: A05:2021 - Security Misconfiguration
  • CWE: CWE-770 - Allocation of Resources Without Limits or Throttling
  • CVSS: 7.5 (High)

❌ Incorrect

@Controller('auth')
class AuthController {
  @Post('login')
  login() {
    // No rate limiting - vulnerable to brute force!
  }
}

✅ Correct

import { Throttle, ThrottlerGuard } from '@nestjs/throttler';

@Controller('auth')
@UseGuards(ThrottlerGuard)
class AuthController {
  @Post('login')
  @Throttle({ default: { limit: 5, ttl: 60000 } }) // 5 attempts per minute
  login() {}
}

// Or in app.module.ts (global)
@Module({
  imports: [ThrottlerModule.forRoot([{ ttl: 60000, limit: 10 }])],
})
export class AppModule {}

Options

{
  // Skip rule in test files (default: true)
  allowInTests?: boolean;

  // Skip if global throttler configured in app.module (default: false)
  assumeGlobalThrottler?: boolean;
}

Recognized Skip Decorators

  • @SkipThrottle() - Built-in decorator from @nestjs/throttler

When Not To Use It

  • If you have ThrottlerModule.forRoot() in app.module.ts, set assumeGlobalThrottler: true
  • For endpoints that intentionally skip throttling, use @SkipThrottle() decorator

Known False Negatives

The following patterns are not detected due to static analysis limitations:

Global Throttler Module

Why: ThrottlerModule.forRoot in app.module is not linked to controllers.

// ❌ NOT DETECTED - Global throttler exists
// app.module.ts: imports: [ThrottlerModule.forRoot(...)]
// controller.ts: Already throttled globally, but flagged

Mitigation: Set assumeGlobalThrottler: true in rule options.

Custom Rate Limiting

Why: Custom rate limiting implementations are not recognized.

// ❌ NOT DETECTED - Custom rate limiter
@UseInterceptors(CustomRateLimiter)
class AuthController {}

Mitigation: Configure rule to recognize custom rate limiting decorators.

Infrastructure Rate Limiting

Why: Reverse proxy or API gateway limits are not visible.

// ❌ NOT DETECTED (correctly) - Kong/Nginx handles limits
@Controller('auth')
class AuthController {}

Mitigation: Document infrastructure rate limits. Add inline comment.

Dynamic Throttle Configuration

Why: Throttle options from variables are not analyzed.

// ❌ NOT DETECTED - Dynamic throttle config
const throttleConfig = getThrottleConfig();
@Throttle(throttleConfig) // May be undefined
class Controller {}

Mitigation: Use inline throttle configuration.

require-guards

The rule provides **LLM-optimized error messages** (Compact 2-line format) with actionable security guidance:

Changelog

Release history for eslint-plugin-nestjs-security

On this page

Rule DetailsOWASP Mapping❌ Incorrect✅ CorrectOptionsRecognized Skip DecoratorsWhen Not To Use ItKnown False NegativesGlobal Throttler ModuleCustom Rate LimitingInfrastructure Rate LimitingDynamic Throttle Configuration