Rate limiting is one of those things everyone knows they should do and nobody enjoys configuring by hand. Claude can analyse your API routes and propose a complete throttling strategy.
cat routes/api.php | claude "Add appropriate rate limiting to these routes. Authentication endpoints should be stricter than read endpoints. Use named rate limiters defined in RouteServiceProvider and explain your reasoning."
Claude will define named limiters in RateLimiter::for() blocks and apply them per route group — not just slap a generic throttle:60,1 on everything.
// In RouteServiceProvider
RateLimiter::for('login', function (Request $request) {
return Limit::perMinute(5)->by($request->ip());
});
RateLimiter::for('api', function (Request $request) {
return $request->user()
? Limit::perMinute(120)->by($request->user()->id)
: Limit::perMinute(30)->by($request->ip());
});
You can push further: ask Claude to add custom throttle response messages, different limits per user plan, or exponential backoff headers.
Turn rate limiting from an afterthought into a deliberate security layer.
Log in to leave a comment.
The /security-review command scans your uncommitted changes for injection vectors, auth gaps, hardcoded secrets, and other common vulnerabilities.
The SessionStart hook fires when any session begins or resumes, making it ideal for loading environment variables and running one-time setup scripts.
Ask Claude to write property-based tests for your functions using fast-check — it identifies the mathematical invariants in your code and generates tests that cover inputs you'd never enumerate by hand.