Rate limiting
Constraining how many requests a client can make in a given window — prevents abuse and protects backend capacity.
In long form.
Common rate-limiting strategies: token bucket (steady refill rate, allows bursts), leaky bucket (constant drain rate), fixed window counter (simple but bursty at boundaries), sliding window log (accurate but expensive). Rate limits are usually applied per-IP, per-API-key, or per-user, and communicated to clients via X-RateLimit-* headers and HTTP 429 responses. Edge implementations (Cloudflare rules, Vercel firewall) handle abuse before it reaches the origin.
On any public API or contact form, we add rate limiting at the edge — usually 10 requests per IP per minute on form endpoints, much higher for read APIs. Without it, the form gets sat-upon by spam bots within hours.
Talk to us about your engagement.
Discovery calls are free. Scope, timelines, and pricing are quoted after we understand what you’re solving.