Implement Rate Limiting

Why this matters

Without rate limiting, your API endpoints accept unlimited requests from any source. This creates multiple attack vectors:

• Denial of Service: a single attacker sends enough requests to exhaust your server's CPU, memory, or database connections, making the service unavailable for all users
• Brute-force attacks: an attacker tries thousands of password combinations against your login endpoint
• Data scraping: a bot downloads your entire dataset by paginating through your API at maximum speed
• Cost exhaustion: if you use usage-based pricing (AI APIs, SMS, email), an attacker can run up your bill

Rate limiting doesn't prevent all abuse, but it puts a ceiling on the damage any single actor can cause. It is a fundamental security control that every public API needs.

The rule

Apply rate limiting to every public-facing endpoint. Use different limits for different endpoint types: authentication endpoints should have strict limits (5-10 requests per minute), data APIs should have moderate limits (100-1000 per minute), and read-heavy endpoints can be more generous.

Bad example

// BAD: no rate limiting — unlimited login attempts
export async function POST(request: Request) {
  const { email, password } = await request.json();
 
  const user = await db.user.findUnique({ where: { email } });
  if (!user || !await bcrypt.compare(password, user.passwordHash)) {
    return Response.json({ error: "Invalid credentials" }, { status: 401 });
  }
 
  const token = await createSession(user.id);
  return Response.json({ token });
}

Good example

import { Ratelimit } from "@upstash/ratelimit";
import { Redis } from "@upstash/redis";
 
const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, "1 m"), // 5 requests per minute
  analytics: true,
});
 
export async function POST(request: Request) {
  // Rate limit by IP address
  const ip = request.headers.get("x-forwarded-for") ?? "127.0.0.1";
  const { success, limit, remaining, reset } = await ratelimit.limit(ip);
 
  if (!success) {
    return Response.json(
      { error: "Too many requests. Try again later." },
      {
        status: 429,
        headers: {
          "X-RateLimit-Limit": limit.toString(),
          "X-RateLimit-Remaining": remaining.toString(),
          "X-RateLimit-Reset": reset.toString(),
        },
      }
    );
  }
 
  const { email, password } = await request.json();
 
  const user = await db.user.findUnique({ where: { email } });
  if (!user || !await bcrypt.compare(password, user.passwordHash)) {
    return Response.json({ error: "Invalid credentials" }, { status: 401 });
  }
 
  const token = await createSession(user.id);
  return Response.json({ token });
}

How to detect

Check if your API routes have rate limiting middleware:

grep -rn "ratelimit\|rate.limit\|rateLimiter" --include="*.ts" app/api/

If no results, your API likely has no rate limiting.

Remediation

1. Choose a rate limiting library: Upstash Ratelimit (serverless), express-rate-limit (Express), or build your own with Redis
2. Define rate limits per endpoint type: strict for auth (5/min), moderate for writes (30/min), generous for reads (200/min)
3. Identify the client: use IP address, API key, or authenticated user ID
4. Return 429 status code with Retry-After and X-RateLimit-* headers
5. Monitor rate limit hits to detect attacks and adjust limits

References

• OWASP Rate Limiting
• Upstash Ratelimit
• RFC 6585: 429 Too Many Requests