Nobody puts "implement rate limiting" on the sprint board. It's not a user story. It doesn't move a metric. Product never asks for it.
Then one day, someone scripts 50,000 requests to your API in 30 seconds and your database melts. Or worse — a single user's runaway script costs you $800 in AWS Lambda invocations overnight.
Both of these happened to me. Now rate limiting is in my starter template.
The Three Layers
I implement rate limiting at three layers, because each catches different abuse patterns:
Layer 1: Edge (CloudFront / Vercel)
\\
