Apply rate limiting to all public-facing API endpoints. Without rate limits, a single attacker can overwhelm your server, exhaust your database connections, or brute-force authentication — taking down the service for all users.
Why This Matters
Without rate limiting, your API has no defense against volume-based attacks. A single script can send thousands of requests per second, exhausting database connections, consuming server CPU, and blocking legitimate users. Brute-force attacks against login endpoints can try millions of passwords. Scraping bots can download your entire dataset. Rate limiting is the minimum viable protection against these attacks.
Without rate limiting, your API endpoints accept unlimited requests from any source. This creates multiple attack vectors:
Denial of Service: a single attacker sends enough requests to exhaust your server's CPU, memory, or database connections, making the service unavailable for all users
Brute-force attacks: an attacker tries thousands of password combinations against your login endpoint
Data scraping: a bot downloads your entire dataset by paginating through your API at maximum speed
Cost exhaustion: if you use usage-based pricing (AI APIs, SMS, email), an attacker can run up your bill
Rate limiting doesn't prevent all abuse, but it puts a ceiling on the damage any single actor can cause. It is a fundamental security control that every public API needs.
The rule
Apply rate limiting to every public-facing endpoint. Use different limits for different endpoint types: authentication endpoints should have strict limits (5-10 requests per minute), data APIs should have moderate limits (100-1000 per minute), and read-heavy endpoints can be more generous.