alt Hacker NewsAlways consider rate limiting if you deploy a public endpoint. Always require authentication to perform resource-consuming and/or privacy leaking requests. (Requiring authentication makes rate limiting more practical since even a distributed attacker would need many credentials, which they probably don't have).
Any tips on how to define the rate limits for a web app with moderate traffic? For logged and anonymous users?