Security
Rate limiting
Capping how many requests someone can make in a window of time.
Rate limiting restricts how often a given user, IP, or API key can hit your app — say 100 requests a minute — and rejects the rest with a 429 'too many requests.' It's the bouncer with a clicker at the door: past capacity, you wait. It protects you from abuse, runaway scripts, brute-force login attempts, and surprise bills when each request calls a paid API like an LLM. AI-generated code almost never adds this by default, so any public endpoint — especially login, signup, or anything that costs you money per call — needs a rate limit bolted on explicitly.