We implemented rate-limiting logic to prevent abuse of APIs — especially account creation and login flows.
Strategy:
- Redis-based counters with expiration
- Hash keys per user/IP/action
- Dynamic throttling based on request behavior
Sample:
INCR login:user123 EXPIRE login:user123 60
Simple but powerful — especially when applied defensively.