Why you need rate limiting and how to add it in 10 minutes

If your API routes have no rate limit, someone with a loop and an hour to spare can: enumerate valid email addresses by watching which login attempts return "wrong password" vs "user not found," brute force your login endpoint, drain your AI API credits, and knock your app offline by flooding it with requests.

None of this requires sophisticated tooling.

Adding rate limiting in Next.js

Install @upstash/ratelimit and @upstash/redis (or use Vercel KV):

npm install @upstash/ratelimit @upstash/redis

Add a rate limit check to your API routes:

import { Ratelimit } from "@upstash/ratelimit";
import { Redis } from "@upstash/redis";

const ratelimit = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(10, "1 m"),
});

export async function POST(req) {
  const ip = req.headers.get("x-forwarded-for") ?? "127.0.0.1";
  const { success } = await ratelimit.limit(ip);

  if (!success) {
    return Response.json(
      { error: "Too many requests" },
      { status: 429 }
    );
  }

  // your handler logic
}

What to rate limit

• Login and signup routes — protect against brute force
• Password reset — protect against account enumeration
• Any route that calls external APIs — protect against credit drain
• Any route that sends emails or SMS — protect against spam

10 minutes to add, significant protection.