Rate Limit

A rate limit is a cap on how many times a given client can hit an endpoint within a time window — say, 100 requests per minute per IP. Without one, a single bored person with a loop can empty your OpenAI budget, exhaust your database connection pool, or brute-force a login. AI assistants almost never add rate limits unless you explicitly ask. The assistant writes the happy path: receive request, do work, return response. It doesn't think about abuse. The fix depends on your stack. On Cloudflare, rate limits are a feature you enable in the dashboard. On a raw Node server, you use middleware like `express-rate-limit`. On Next.js routes, you can lean on the platform (Vercel/Cloudflare) or do it in the handler yourself with a shared counter. The important thing is to pick a number that real users won't hit but scripts will. For a contact form, 5 per minute is plenty. For a search endpoint, maybe 60. Log 429 responses so you can see when the limit fires and adjust. Rate limiting is on our checklist under edge cases because it's cheap to add and expensive to skip.