One more question: you suggest rate limiters.
What is the best way to implement these. Clearly writing your own could have some pitfalls. Does Apache or Tomcat or Rails (or whatever) have tools we can just turn on to achieve this? Is this something we can configure in AWS?
I suggest rate-limiter-flexible for NodeJS servers. I never worked with Apache specifically, I just've treated it like a go-to LAMP webserver, but I googled it and here's what I found.
Here's the AWS default approach.
The best way (IMHO) is to treat these issues at infrastructure level rather than application-level. Check projects such as Ambassador, Kong, Istio, Linkerd. And it's not just rate limiting, it's all kinds of policies, security, circuit-breakers, canary deployments, etc.
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.