Security

What is Rate Limiting?

Restricting how many requests a user or IP address can make to your API in a given time period, preventing abuse and protecting resources.

In plain English

Like a store that limits one item per customer during a sale. Without rate limiting, one person can take everything. With it, everyone gets fair access and the store doesn't run out of stock.

Why it matters

Without rate limiting, an attacker can: brute-force passwords by trying thousands per second, scrape all your data, trigger expensive operations that drive up your hosting bill, or simply overwhelm your server (denial of service). Rate limiting is one of the cheapest and most effective security measures you can add.

What to rate limit

Authentication endpoints (login, signup, password reset) — strict limits (5-10 per minute). API endpoints — moderate limits (60-100 per minute). Public endpoints — generous but not unlimited (200-500 per minute). The exact numbers depend on your legitimate usage patterns.

How to implement

For Next.js: use a library like rate-limiter-flexible or upstash/ratelimit (serverless-friendly). For Express: use express-rate-limit middleware. Many hosting platforms (Vercel, Cloudflare, AWS) offer built-in rate limiting. For Supabase, rate limiting is configured per project in the dashboard.

Frequently asked questions

Can rate limiting break my app for real users?

Not if configured properly. Set limits above your legitimate usage peak. Monitor rate limit hits — if real users are being blocked, increase the limits. Use per-user limits (via user ID or API key) rather than per-IP limits for authenticated endpoints.