fixed limiter

backend/server.js

@@ -1,29 +1,33 @@
 import express from "express";
-import cors from "cors";
-import apiRouter from "./routes/api.js";
-
 const app = express();
 const port = 7001;
-import rateLimit from "express-rate-limit";
+
+import cors from "cors";
+import apiRouter from "./routes/api.js";
+import { rateLimit } from "express-rate-limit";
+
+app.set("trust proxy", 1); // Required when running behind a proxy (e.g. Docker/NGINX) so rate-limit can read X-Forwarded-For.
+
+const limits = {
+  time: 1, // = 1 minute
+  requests: 10, // = maximum 10 requests
+};
+
+const limiter = rateLimit({
+  windowMs: limits.time * 60 * 1000,
+  limit: limits.requests,
+  standardHeaders: "draft-8", // draft-6: `RateLimit-*` headers; draft-7 & draft-8: combined `RateLimit` header
+  legacyHeaders: false, // Disable the `X-RateLimit-*` headers.
+  ipv6Subnet: 56, // Set to 60 or 64 to be less aggressive, or 52 or 48 to be more aggressive
+});
+
+app.use(limiter);
 
 app.use(cors());
 app.use(express.urlencoded({ extended: true }));
 app.set("view engine", "ejs");
 app.use(express.json());
-
-const limits = {
-  time: 1, // = 1 minute
-  requests: 10,
-  message: "Too many requests from this IP, please try again in 15 minutes",
-};
-
-const limiter = rateLimit({
-  windowMs: limits.time * 60 * 1000,
-  max: limits.requests,
-  message: limits.message,
-});
-
-app.use(limiter);
+app.use("/api", apiRouter);
 
 app.get("/", (req, res) => {
   res.render("index.ejs", { title: port });