Rate limiting for public endpoints

[unrealbg]

Problem

Public endpoints such as comment submission lack rate limiting, opening risk for spam/DoS.

Proposal

• Apply rate limiting policies to comment submission and other public endpoints.
• Log throttled requests with Serilog.
• Document reasonable limits.

Alternatives considered

• Rely on infrastructure-level limits only.

Acceptance criteria

• Policies configured and applied
• Serilog logs throttled requests
• Reasonable limits documented

Technical notes

• Built-in ASP.NET Core Rate Limiting middleware
• Separate policies per endpoint group

Risks

• Overtight limits may block legitimate users.

Additional context

Labels: security, performance