# Missing API Rate Limiting

- ID: python-missing-rate-limiting
- Severity: MEDIUM
- CWE: Allocation Without Limits (CWE-770)
- Languages: Python
- Frameworks: flask, django, fastapi

## Description

Detects API endpoints without rate limiting. Unprotected endpoints are
vulnerable to brute force attacks, credential stuffing, and denial of service.
Always implement rate limiting on authentication, expensive operations, and
public APIs.

## Detection Message

API endpoint lacks rate limiting protection

## Remediation

Add rate limiting decorator to authentication and expensive endpoints.

```python
from flask_limiter import Limiter
from flask_limiter.util import get_remote_address

limiter = Limiter(app=app, key_func=get_remote_address)

@app.route('/api/login', methods=['POST'])
@limiter.limit("5 per minute")
def login():
    user = authenticate(request.json)
    return jsonify({'token': generate_token(user)})
```

Learn more: https://shoulder.dev/learn/python/cwe-770/missing-rate-limiting

## Documentation

[object Object]

## Related Rules

- **Request Size Limits in Express.js** [MEDIUM]: 
- **Prisma Unbounded Relation Loading** [MEDIUM]: