Rate Limiting
Controls on how many requests a client can make to an API or endpoint within a time window, preventing abuse and denial-of-service.
In detail
Rate limiting is a server-side control that caps the number of requests from a given client (by IP, API key, user account or other identifier) within a sliding or fixed time window. When the limit is exceeded, the server returns a 429 Too Many Requests response. Rate limiting defends against brute-force attacks (password guessing, OTP enumeration), API abuse, denial-of-service from a single source, and unintentional traffic spikes from misbehaving clients. It is typically implemented at the API gateway, load balancer or application middleware layer. Tools like Upstash Rate Limit, Cloudflare WAF and Express-rate-limit make it accessible to smaller applications.
Why it matters for Australian business
Rate limiting is consistently absent from vibe-coded Australian apps. Without it, a login endpoint can be brute-forced, an AI inference endpoint can be abused to run up API costs, and a form submission endpoint can be used to spam contacts. Veracode's 2025 GenAI Code Security Report lists rate limiting as one of the most frequently missing controls in AI-generated code. We implement it on every API endpoint that accepts unauthenticated or user-controlled input.