# Rate Limiting and Anti-Automation (Bots) One-sentence definition: Control abuse by limiting requests and detecting automated behavior. ## Key Facts - Apply per-IP/account/API key limits; burst + sustained windows. - Use device fingerprints, behavioral signals; challenge when risky. - Protect login, password reset, enumeration, and checkout endpoints. - Provide friendly errors; avoid blocking legitimate background jobs. - **Verify:** check official (ISC)² CBK and current exam outline. ## Exam Relevance - Choose rate limits + detection vs CAPTCHA-only. **Mnemonic:** “**Throttle, then challenge**.” ## Mini Scenario Q: Credential stuffing bypasses CAPTCHA—what add? A: Per-account limits, IP reputation, and step-up auth. ## Revision Checklist - Two limit dimensions. - Priority endpoints. - False-positive mitigation. ## Related [[Authentication Best Practices (Passwordless MFA OIDC)]] · [[Web Session Management (Cookies Tokens Timeouts)]] · [[CORS Design Deep Dive and Anti-Patterns]] · [[Service-to-Service Auth (API Keys OAuth mTLS DPoP)]] · [[Domain 8 - Index]]