Adding a rate-limiting section to thoughtbot's guides

I was reading thoughtbot’s guides just before joining thoughtbot when I noticed the security page was missing a section about rate-limiting.

Why was this change necessary?

People reading this guide might feel like they have a pretty secure application after reading the guide.

But those applications could be vulnerable to:

How does it address the problem?

Rate-limiting limits those kinds of attacks by limiting the number of requests per time frame that clients make to a set of endpoints.

It can be:

Are there any side effects?

Real users can be blocked and need to wait before retrying.

Also having a proper error message to indicate to the user that they can retry in X minutes/hours helps keep users not frustrated.

See it live

You can find the result as of the time of writing on


An attacker could try many passwords, OTP codes, emails, or any kind of input to compromise your system.

An attacker could also request slow endpoints of your application to make it use its limited-resources.

Tools like rack-attack can help you minimize this attack surface.