Cap how often someone can hit your app - shippingszn launch readiness
Rate limiting puts a maximum on how many requests one person (or one IP address) can make in a given window — say, 60 requests a minute. Without it, a single bot can hammer your backend until it falls over, run up your AI bill, or brute-force passwords until something works.
Without rate limits you are one bad actor away from a $10,000 OpenAI bill, a crashed server, or a leaked password. Rate limits are cheap to add and save you from a long list of nightmares.
The shippingszn CLI includes automated checks for this launch-readiness control.
The Launch Fix Kit keeps scan-specific findings, file and line evidence, AI-builder punch-list tasks, and verification steps tied to the paid report.
- Add rate limiting to every public-facing endpoint.
- Use stricter limits on the sensitive ones: login (5 per 15 minutes), signup (3 per hour), password reset (3 per hour), AI calls (whatever fits your budget).
- Return a clear "you're going too fast, try again in X seconds" message — don't just silently fail.
- Watch for repeated rate-limit hits — they're usually attacks. Have alerts set up for spikes.
- Ask your AI builder: "add per-IP rate limiting to all my endpoints with stricter limits on login, signup, and password reset."
Run the scanner | Unlock Launch Fix Kit
Canonical URL: https://shippingszn.com/i/rate-limiting/