How and what to rate-limit?

[zeronumbers]

Should rate-limit provided in the example be used only for auth?
And if i want to rate-limit other stuff I would need another rate limit specifically for that?

I use nextjs and have a caddy in front of it, I can add rate limit specifically for nextjs, and use caddy for rate limiting everything as well, is this the correct approach?
Alternatively rate-limit can be used in nextjs middleware but there are many chunks for a single page (results in a single page needing ~8 GET requests), so a limit has to be higher - and that would allow more login attempts.

Is it reasonable to rate-limit even normal pages?

If two separate rate-limiters are needed, should both of them be in caddy since it is in front of nextjs?

[KeepALifeUS]

Rate Limiting with Lucia

Use two layers:

• Caddy: Global DDoS protection
• Next.js: Auth-specific (5 attempts/min)

Example:

const limiter = new Ratelimit({
  redis: Redis.fromEnv(),
  limiter: Ratelimit.slidingWindow(5, "1 m"),
});

const { success } = await limiter.limit(ip);
if (!success) return new Response("Too many attempts", { status: 429 });

Answers:

1. Auth needs separate stricter limit - YES
2. Caddy + Next.js together - YES
3. Normal pages rate limit - OPTIONAL
4. Rate limit by route pattern, not all chunks