📚
Billexa — The Rise of a Secure Indian Billing SaaS
Complete Documentary v4.0
31 May 2026
Made in India 🇮🇳
🎬 Cinematic Edition
💥 Before Billexa — The Struggle
Billexa wasn't built for corporations first… It was built for small businesses trying to survive digitally.
— The Vision
- 📝 Local shopkeepers were still using handwritten bills
- 🧾 GST confusion — Nobody knew how to calculate CGST/SGST
- 📉 Inventory loss — No tracking of stock
- 💸 Expensive software — Small businesses couldn't afford ₹10,000+ SaaS tools
India has 6.3 crore small businesses. Most still use notebooks and calculators. The digital divide was real — and it hurt.
🧑💻 Founder Journey — Alone But Not Broken
2023
First laptop. ₹35,000. Second-hand. But it worked.
2023
First coding error. 4 hours to fix a comma.
2024
Sleepless nights. Coffee, terminal, Stack Overflow.
2025
Building alone. No team. No investors. Just vision.
"Every line of code was written after midnight. This wasn't a job — it was obsession."
⚔️ The Breaking Point — Failure is Not Final
- 🔥 Server crash #1: No backup. Lost 2 weeks of data.
- 🐛 Bug in production: GST failed. 47 angry users. Fixed at 2:17 AM.
- 🗄️ MongoDB flood: 1000+ connections. Server died.
- 🛡️ Security attack: SQL injection attempt. Helmet.js blocked it.
Every failure taught something. Every crash made the system stronger.
Today, Billexa handles thousands of requests per day with 99.9% uptime.
📈 Growth Timeline — From Zero to Ecosystem
2024
🚀 Idea started — First line of code
2025
✅ Billing + Inventory — IN/OUT mode, PDF invoices
2025
🤖 Telegram Bot — Remote business management
2026
🛒 Marketplace — KYC, Trust Score, Orders
2026
🧠 AI Assistant — Gemini + Llama
2026
🔐 Backend Rate Limiting — 5-100 tiers
2026
💾 3-2-1 Backup — GitHub + MEGA + Local
1. Project Overview
| Project Name | Billexa — Smart Billing Software |
| URL | https://billexa.in |
| Owner | Shiv Kumar |
| Location | Arwar, Ajmer, Rajasthan |
| Status | 🟢 Production Active |
2. Tech Stack
| Category | Technology |
|---|
| Backend | Node.js + Express.js |
| Database | MongoDB Atlas |
| Hosting | Render / Ubuntu VPS |
| Storage | Cloudinary |
| Security | Helmet.js, express-rate-limit, 2FA |
| Backup | GitHub + MEGA (20GB free) |
3. Rate Limiting System — Complete Protection
Billexa implements a comprehensive multi-layered rate limiting system to prevent brute force attacks, DDoS, API abuse, and spam submissions. Rate limits are applied in order — specific routes first, global catch-all last.
| # | Limiter | Limit | Window | Routes Protected |
|---|
| 1 | 🔐 Auth Limiter | 5 requests | 15 minutes | /api/login, /api/register, /api/forgot-password, /api/reset-password, /api/verify-2fa, /api/change-password, /verify-2fa, /setup-2fa, /change-password |
| 2 | 📁 KYC Limiter | 3 requests | 1 hour | /kyc/api/submit, /api/profile/upload-photo, /api/chat/upload |
| 3 | 🎫 Support Limiter | 5 requests | 30 minutes | /api/ticket/create, /api/feedback, /support, /feedback |
| 4 | ⚠️ Delete Limiter | 2 requests | 1 hour | /api/delete-account, /delete-account |
| 5 | 🌐 API Limiter | 100 requests | 15 minutes | /api/*, /marketplace/api/*, /orders/api/* |
| 6 | 🛡️ Global Limiter | 50 requests | 15 minutes | ALL remaining routes (Last line of defense) |
🎯 Key Features
- Defense in Depth: 6 layers of rate limiting — specific rules applied first, global catch-all as final defense
- IP-Based Tracking: Rate limits tracked per IP address (or X-Forwarded-For header behind proxies)
- Smart Auth: Auth limiter uses
skipSuccessfulRequests: true — successful logins don't count toward limit
- Static Exemption: CSS, JS, images, and other static assets are NOT rate limited
- Auto-Reset: All counters automatically reset after the time window expires
- In-Memory Only: Rate limit data stored in memory — no database writes, no permanent logging
- 429 Response: When limit exceeded, server returns HTTP 429 Too Many Requests with descriptive error message
⚙️ Implementation Details
- Package:
express-rate-limit v7.x with production configuration
- Headers: Standard
RateLimit-* headers enabled for debugging
- Key Generator: Custom
keyGenerator using IP + session for authenticated users
- Order: Static files → Auth → KYC → Support → Delete → API → Global
Security Philosophy: Rate limiting is not just about preventing abuse — it's about ensuring fair access for all genuine users while protecting the platform.
— Multi-Layer Defense Strategy
4. Features List
- ✅ IN Mode — Add products with barcode
- ✅ OUT Mode — Sell products, generate invoices
- ✅ GST toggle — CGST 9% + SGST 9% auto-calculation
- ✅ 9 Payment Methods
- ✅ Digital Signatures — Photo upload or Canvas draw
- ✅ Professional PDF invoices
- ✅ Stock tracking with low-stock alerts
- ✅ AI Assistant powered by Gemini/Llama
- ✅ 16 Telegram bot commands
- ✅ 2FA for ALL users (3 free logins, then mandatory)
- ✅ Marketplace with KYC verification and Trust Score
5. Security Measures
| Layer | Technology | Status |
|---|
| Rate Limiting | express-rate-limit (6 tiers) | ✅ Active |
| 2FA | speakeasy TOTP + QRCode | ✅ Active |
| Password Hashing | bcrypt (10 rounds) | ✅ Active |
| HTTP Headers | Helmet.js | ✅ Active |
| XSS Protection | Custom sanitizer | ✅ Active |
| Session Security | express-session with MongoDB | ✅ Active |
Note: Cloudflare was removed for simplicity. All security is now handled at the application level with full control.
6. 3-2-1 Backup Plan
| Location | Type | Schedule | Retention |
|---|
| GitHub Primary | Cloud (Auto) | Daily 3:00 AM | 90 days + Permanent |
| GitHub Mirror | Cloud (Auto) | Daily 3:15 AM | 90 days + Permanent |
| MEGA Cloud | Cloud (Auto) | Daily 3:15 AM | 90 days |
| Local Backup | Physical (Manual) | As needed | Permanent |
✅ 3 copies, 2 different cloud providers, 1 off-site — 3-2-1 backup rule complete!
🎬 Why Billexa Matters
Billexa wasn't built for corporations first…
It was built for small businesses trying to survive digitally.
— Made in India 🇮🇳 | 2024 → ∞
From a single laptop to a secure SaaS ecosystem — this is only the beginning.
🎬 Cinematic Documentary v4.0