No Rate Limiting on Sensitive Endpoints

What this is

Rate limiting caps how often a single actor can call a given endpoint in a time window. Without it, a single script can:

• Brute force passwords or one-time codes
• Exhaust LLM API quotas in minutes
• Run up cloud egress or payment provider charges
• Scrape paginated data faster than your database can serve it

89% of scanned AI-built apps had no rate limiting on any endpoint.

Why AI tools ship this

Rate limiting requires either middleware, a shared store (Redis, a database table), or a hosted service. AI tools generate the route handler and move on.

How to detect

Search for any of: rate-limit, ratelimit, upstash, @vercel/kv, middleware that throttles requests.

grep -rE "(rate[_-]?limit|throttl)" --include="*.ts" --include="*.tsx" .

No hits on auth, password-reset, or LLM routes means you are unprotected.

How to fix

For serverless Next.js, the standard pattern uses Upstash Redis:

import { Ratelimit } from '@upstash/ratelimit'
import { Redis } from '@upstash/redis'
 
const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, '1 m'),
})
 
export async function POST(req: Request) {
  const ip = req.headers.get('x-forwarded-for') ?? 'unknown'
  const { success, limit, remaining, reset } = await ratelimit.limit(ip)
 
  if (!success) {
    return new Response('Too many requests', {
      status: 429,
      headers: {
        'X-RateLimit-Limit': String(limit),
        'X-RateLimit-Remaining': String(remaining),
        'X-RateLimit-Reset': String(reset),
      },
    })
  }
 
  // handle the request
}

Baseline policy by endpoint type:

Related

• Glossary: rate limiting
• Blog: Error handling in AI apps