rack-attack

Rate limiting is both a security control and an availability control. I use it to slow credential stuffing, login brute force, and noisy scraping without punishing normal use. The trick is keying limits on the right dimensions and emitting metrics so