Two endpoints — one has no rate limiting at all, one enforces a 10-requests-per-minute limit. Find which one never blocks, no matter how many times you hammer it.
Rate limiting protects endpoints from brute-force attacks, denial-of-service, and credential stuffing. A login endpoint without rate limiting allows an attacker to try thousands of passwords per second. A missing 429 response is a security bug.
| Bug | Login endpoint: 50+ attempts with no block — never returns 429 |
| Correct | Search endpoint: blocked after 10 requests per minute with 429 |
Attempt Login 20+ times — are you ever blocked?Search 10+ times — what happens after the 10th?