Any public POST endpoint (login, signup, contact, AI chat) is a brute-force target. Laravel's throttle middleware caps per-IP/per-user request rates.
Quick throttle (60 reqs / minute / IP)
Route::post('/login', LoginController::class)
->middleware('throttle:60,1');
Named limiters (best for production)
app/Providers/AppServiceProvider.php:
use Illuminate\Cache\RateLimiting\Limit;
use Illuminate\Support\Facades\RateLimiter;
RateLimiter::for('login', function (Request $r) {
return Limit::perMinute(5)
->by($r->input('email') . '|' . $r->ip())
->response(function () {
return response('Too many attempts. Try again in a minute.', 429);
});
});
Then use it: ->middleware('throttle:login').
The key — email|ip — punishes the bad actor without locking out the real owner of the account from a different network.
What to throttle
Login, register, forgot-password, contact form, file uploads, anything that hits an external API on your dime (e.g. AI calls).