Rate Limiting on Firebase Hosting

Firebaser here.

There is currently no way to rate-limit based on IP address with Firebase Hosting. Our CDN partner includes some built-in protection against (D)DoS attacks, but this is not presently configurable.

We find that this generally isn't a problem. If you do run into usage that you suspect is abuse, please reach out to Firebase support and we'll work with you to resolve the situation to everyone's satisfaction.

It seems to be the current rate limit is to use some middleware like express-rate-limiter. Then in your server.ts (or .js if JavaScript) file you can do as follows:

import * as express from 'express';
import * as rateLimit from 'express-rate-limit';

const server: Express = express(); 

server.set('trust proxy', 1); // Enable because the application is behind reverse proxy (Firebase).
server.use(
  rateLimit({
    max: 100, // Max 100 connections per windowMs can be done before sending HTTP 429 (Too Many Requests) response code. After 100 requests within 15 minutes block the IP.
    message:
      'This IP has been temporarily blocked due to too many requests, please try again later.',
    windowMs: 15 * 60 * 1000 // In milliseconds, keep records of requests in memory for 15 minutes.
  })
);

Alternatively, if you don't want to block the IP, rather slow it down use express-slow-down.