I was reading thoughtbot’s guides just before joining thoughtbot when I noticed the security page was missing a section about rate-limiting.
People reading this guide might feel like they have a pretty secure application after reading the guide.
But those applications could be vulnerable to:
Rate-limiting limits those kinds of attacks by limiting the number of requests per time frame that clients make to a set of endpoints.
It can be:
Real users can be blocked and need to wait before retrying.
Also having a proper error message to indicate to the user that they can retry in X minutes/hours helps keep users not frustrated.
You can find the result as of the time of writing on github.com/thoughtbot/guides/security/application.md#rate-limiting.
An attacker could try many passwords, OTP codes, emails, or any kind of input to compromise your system.
An attacker could also request slow endpoints of your application to make it use its limited-resources.
Tools like rack-attack can help you minimize this attack surface.