C4. Reduce spam and abuse
What this page helps you do
Add basic abuse protection to routes that can be spammed.
Why it matters
Abuse often shows up first as cost, noise, or weird traffic patterns rather than obvious attacks.
You should already have
- public forms, signups, login routes, or API endpoints
Skip this page if
- the app is fully private and not internet-exposed
What to do
- identify high-risk routes
- add basic request limits or abuse controls
- pay extra attention to AI, email, and upload features
Recommended default
Start with simple limits on the routes that are easiest to abuse.
Common mistakes
- protecting the homepage but not the expensive endpoints
- forgetting password reset and signup routes
- ignoring usage costs in AI apps
Next step
Go to C5. Keep dependencies updated.
Related pages
Advanced notes
TODO for contributors: add beginner-friendly examples of rate limiting for login, chat, and contact forms.