In my spare time, I’ve been working on a little Phoenix project that involves a JSON API. Developers frequently neglect rate limiting when they build an API, assuming they are even aware that it is a best practice.
It’s true that in many cases rate limiting isn’t worth the effort, but when it comes to authentication, it definitely is. For example, the recent high-profile iCloud security breach which released celebrity photos in to the internet could have been prevented had Apple implemented rate limiting on one of their authentication APIs. This would have prevented the brute-force attack that the hackers used to guess the celebrities’ passwords.