PS Product SecurityKnowledge Base

๐Ÿšฆ Rate Limits, Quotas, Friction, and Detection

Intro: Teams often reach for one rate-limit number and call the problem solved. Real product abuse is more complicated: the defender needs the right limit, at the right layer, tied to the right object, with enough telemetry to tell whether the attacker simply changed shape.

What this page includes

  • how to think about rate limits as one abuse control, not the only control
  • quota and workflow protections for high-value product actions
  • where to add user friction
  • what telemetry proves the control is working

Choose the limiter key carefully

Limiting only by IP is rarely enough. Consider combinations of:

  • account;
  • tenant;
  • session;
  • device or browser fingerprinting signal;
  • API key or integration identity;
  • object identifier;
  • network source.

Match the limit to the workflow

Workflow Better control than a generic request limit
login per-account and per-device throttling, stepped-up auth
trial signup per-tenant, per-payment instrument, per-email-domain heuristics
export concurrency caps, approval or notification, object-count thresholds
invite flows per-tenant quotas and anomaly review
search or scraping request cost model plus pagination and abuse detection
support impersonation time-boxed access, reason capture, dual logging

Friction should be staged

A practical staged-failure model looks like this:

  1. invisible telemetry and anomaly scoring;
  2. soft friction such as email verification, proof-of-work, or re-auth;
  3. stronger friction such as CAPTCHA, MFA, or approval steps;
  4. time-bound lockout or manual review.

Blanket blocking tends to punish good users first.

What to detect

High-value signals include:

  • many low-success attempts across many accounts;
  • unusual velocity on invite, export, or password-reset endpoints;
  • large volumes of object-level access failures followed by a successful sequence;
  • sudden shifts in request cost or pagination behavior;
  • many accounts linked to the same infrastructure or recovery pattern.

Review questions

  • What is the attackerโ€™s cheapest way to distribute the abuse?
  • Which object or workflow needs a quota rather than only a request-per-minute limit?
  • Which business event should generate user-facing notification?
  • Which signal tells us the attacker moved from one key to another?

Author attribution: Ivan Piskunov, 2026 - Educational and defensive-engineering use.