Missing Rate Limiting

API routes with no rate limiter

warningSecurityrate-limiting

Why this matters

Without rate limiting, a single attacker can brute-force passwords, scrape your data, or run up your cloud bill. AI tools never add rate limiting unless you ask.

✗ Bad

export async function POST(req: Request) {
  const { email, password } = await req.json();
  const user = await authenticate(email, password);
  return Response.json({ token: user.token });
}

✓ Good

import { Ratelimit } from "@upstash/ratelimit";
import { Redis } from "@upstash/redis";

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, "60 s"),
});

export async function POST(req: Request) {
  const ip = req.headers.get("x-forwarded-for") ?? "";
  const { success } = await ratelimit.limit(ip);
  if (!success) {
    return new Response("Too many requests", { status: 429 });
  }
  const { email, password } = await req.json();
  const user = await authenticate(email, password);
  return Response.json({ token: user.token });
}

How to fix

Add rate limiting to all public API routes, especially auth endpoints. Use Upstash, Redis, or an in-memory store. Apply stricter limits to sensitive endpoints.

All rules