Use @nestjs/throttler — the official rate limiting package. Register ThrottlerModule.forRoot() with TTL and limit arrays for multiple time windows, then register ThrottlerGuard globally via APP_GUARD. Override per-route limits with @Throttle() and skip specific routes with @SkipThrottle(). Extend ThrottlerGuard and override getTracker() to rate limit per user ID instead of IP.
Register ThrottlerGuard globally via APP_GUARD so all routes are protected by default.
Define multiple time windows (short + long) to catch both burst and sustained abuse.
Override getTracker() to rate limit per authenticated user ID — IP-based limits are easily bypassed behind proxies.
@Throttle() at the route level overrides the global default — use for sensitive endpoints like login.
@SkipThrottle() exempts health checks and public status endpoints from rate limiting.