[{"data":1,"prerenderedAt":232},["ShallowReactive",2],{"blog-vulnerabilities/missing-rate-limiting":3},{"id":4,"title":5,"body":6,"category":211,"date":212,"dateModified":213,"description":214,"draft":215,"extension":216,"faq":217,"featured":215,"headerVariant":218,"image":217,"keywords":217,"meta":219,"navigation":220,"ogDescription":221,"ogTitle":217,"path":222,"readTime":223,"schemaOrg":224,"schemaType":225,"seo":226,"sitemap":227,"stem":228,"tags":229,"twitterCard":230,"__hash__":231},"blog/blog/vulnerabilities/missing-rate-limiting.md","Missing Rate Limiting Explained",{"type":7,"value":8,"toc":201},"minimark",[9,16,21,24,29,64,68,135,139,154,170,189],[10,11,12],"tldr",{},[13,14,15],"p",{},"Rate limiting restricts how many requests a user can make in a time period. Without it, attackers can brute force passwords, enumerate users, scrape your data, or overwhelm your servers. Add rate limits to login endpoints, API routes, and any expensive operations.",[17,18,20],"h2",{"id":19},"why-rate-limiting-matters","Why Rate Limiting Matters",[13,22,23],{},"Vibe-coded apps often skip rate limiting because it seems like an optimization, not a security feature. But without limits, your app is vulnerable to automated attacks that would be impractical with proper throttling.",[25,26,28],"h3",{"id":27},"what-attackers-can-do","What Attackers Can Do",[30,31,32,40,46,52,58],"ul",{},[33,34,35,39],"li",{},[36,37,38],"strong",{},"Brute force:"," Try thousands of passwords per second",[33,41,42,45],{},[36,43,44],{},"Credential stuffing:"," Test leaked password databases",[33,47,48,51],{},[36,49,50],{},"User enumeration:"," Discover valid usernames",[33,53,54,57],{},[36,55,56],{},"Data scraping:"," Extract your entire database",[33,59,60,63],{},[36,61,62],{},"DoS:"," Exhaust your server resources or API quotas",[17,65,67],{"id":66},"recommended-rate-limits","Recommended Rate Limits",[69,70,71,87],"table",{},[72,73,74],"thead",{},[75,76,77,81,84],"tr",{},[78,79,80],"th",{},"Endpoint",[78,82,83],{},"Limit",[78,85,86],{},"Why",[88,89,90,102,113,124],"tbody",{},[75,91,92,96,99],{},[93,94,95],"td",{},"Login",[93,97,98],{},"5 per minute per IP",[93,100,101],{},"Prevents brute force",[75,103,104,107,110],{},[93,105,106],{},"Password reset",[93,108,109],{},"3 per hour per email",[93,111,112],{},"Prevents enumeration",[75,114,115,118,121],{},[93,116,117],{},"API (authenticated)",[93,119,120],{},"100 per minute per user",[93,122,123],{},"Fair usage",[75,125,126,129,132],{},[93,127,128],{},"API (public)",[93,130,131],{},"20 per minute per IP",[93,133,134],{},"Prevents scraping",[17,136,138],{"id":137},"implementation-example","Implementation Example",[140,141,143],"code-block",{"label":142},"Express rate limiting with express-rate-limit",[144,145,150],"pre",{"className":146,"code":148,"language":149},[147],"language-text","import rateLimit from 'express-rate-limit';\n\n// General API limit\nconst apiLimiter = rateLimit({\n  windowMs: 60 * 1000, // 1 minute\n  max: 100,\n  message: { error: 'Too many requests' }\n});\n\n// Strict limit for login\nconst loginLimiter = rateLimit({\n  windowMs: 60 * 1000,\n  max: 5,\n  message: { error: 'Too many login attempts' }\n});\n\napp.use('/api/', apiLimiter);\napp.post('/api/login', loginLimiter, handleLogin);\n","text",[151,152,148],"code",{"__ignoreMap":153},"",[155,156,157,164],"faq-section",{},[158,159,161],"faq-item",{"question":160},"Should I rate limit by IP or by user?",[13,162,163],{},"Both. Use IP-based limits for unauthenticated endpoints and user-based limits for authenticated ones. Consider that attackers can use many IPs, so also implement account-level lockouts.",[158,165,167],{"question":166},"What about serverless functions?",[13,168,169],{},"Serverless platforms often have built-in rate limiting. Check your provider's docs. For Vercel, use their edge middleware or a service like Upstash Redis for distributed rate limiting.",[171,172,173,179,184],"related-articles",{},[174,175],"related-card",{"description":176,"href":177,"title":178},"Auth security overview","/blog/vulnerabilities/broken-auth","Broken Authentication",[174,180],{"description":181,"href":182,"title":183},"Implementation guide","/blog/how-to/implement-rate-limiting","Add Rate Limiting",[174,185],{"description":186,"href":187,"title":188},"Another resource exhaustion","/blog/vulnerabilities/regex-dos","ReDoS Attacks",[190,191,194,198],"cta-box",{"href":192,"label":193},"/","Start Free Scan",[17,195,197],{"id":196},"test-your-rate-limits","Test Your Rate Limits",[13,199,200],{},"Our scanner checks if your endpoints have rate limiting.",{"title":153,"searchDepth":202,"depth":202,"links":203},2,[204,208,209,210],{"id":19,"depth":202,"text":20,"children":205},[206],{"id":27,"depth":207,"text":28},3,{"id":66,"depth":202,"text":67},{"id":137,"depth":202,"text":138},{"id":196,"depth":202,"text":197},"vulnerabilities","2026-01-22","2026-01-29","Without rate limiting, attackers can brute force passwords, scrape data, or DoS your app. Learn how to implement rate limiting in your API and authentication.",false,"md",null,"red",{"noindex":220},true,"Learn why rate limiting matters and how to implement it properly.","/blog/vulnerabilities/missing-rate-limiting","5 min read","[object Object]","TechArticle",{"title":5,"description":214},{"loc":222},"blog/vulnerabilities/missing-rate-limiting",[],"summary_large_image","Qal355lKoOIOgmPmipXFNORt-3OmVjv3ohN-reSViPg",1775843926421]