In addition to controlling which URLs a client can access, you can control how often. This can be especially important to preventing scouting and brute force password attacks.
If a client is not really interested in actually receiving a response and/or attempting to authenticate or connecting, but is simply attempting to consume resources in order to deprive legitimate clients, consider more than simple HTTP-layer rate limiting. See also DoS prevention. |
If you need to restrict access as well as rate limiting, you can do both at the same time. See Combination access control & rate limiting.