Rate-limit public and auth endpoints

Rate-limit public and auth endpoints | BeforeMerge Rules | BeforeMerge

Why this matters

Unthrottled endpoints let attackers brute-force passwords, enumerate accounts, and exhaust resources with high request volume. Rate limiting caps the damage per source and buys time for detection.

// Bad: no limit on login
app.post("/login", handleLogin);
 
// Good: cap attempts per window
import rateLimit from "express-rate-limit";
const loginLimiter = rateLimit({ windowMs: 15 * 60_000, max: 10 });
app.post("/login", loginLimiter, handleLogin);

Why This Matters

Related Rules

Catch this automatically on every PR

Why this matters