How many times can an attacker try to guess an ID before I detect?

Updated
Short answer

Without rate limit + monitoring: thousands. With basic monitoring (Sentry / equivalent): hundreds. With per-IP rate limit: 10s. Add monitoring + rate-limit + Securie continuous-scan.

Default Vercel + Next.js apps have no rate limit + no monitoring on enumeration patterns. Attackers iterate freely.

Defense: per-IP rate limit at edge (Upstash / Cloudflare) + per-user rate limit (more restrictive) + Sentry-class anomaly detection on 4xx burst patterns.

People also ask

How do I prevent runaway OpenAI bills?
Three layers: vendor-side spend caps (OpenAI Limits page), per-route rate limits at edge (Upstash / Cloudflare), per-use