diff --git a/backend/package.json b/backend/package.json
index ed4077b..75cf1b5 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -15,6 +15,7 @@
     "dotenv": "^16.3.1",
     "express": "^4.18.2",
     "express-bearer-token": "^2.4.0",
+    "express-rate-limit": "^7.1.1",
     "helmet": "^5.1.1",
     "lodash": "^4.17.21",
     "lowdb": "^1.0.0",
diff --git a/backend/routes/auth.js b/backend/routes/auth.js
index 890b8e1..0b3bbb8 100644
--- a/backend/routes/auth.js
+++ b/backend/routes/auth.js
@@ -1,8 +1,15 @@
 import express from "express";
+import rateLimit from "express-rate-limit"
 const router = express.Router();
 
 import * as auth from "../services/auth.js";
 
+const loginLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000, // 15 minutes
+  max: 5, // limit each IP to 5 requests per windowMs
+  message: "Too many login attempts, please try again in 15 minutes.",
+});
+
 router.get("/login", async function (req, res) {
   if (process.env.ZU_DISABLE_AUTH === "true") {
     res.send({ enabled: false });
@@ -11,9 +18,10 @@ router.get("/login", async function (req, res) {
   }
 });
 
-router.post("/login", async function (req, res) {
+router.post("/login", loginLimiter, async function (req, res) {
   if (req.body.username && req.body.password) {
     auth.authorize(req.body.username, req.body.password, function (err, user) {
+      console.log(err.message)
       if (user) {
         res.send({ token: user["token"] });
       } else {
diff --git a/yarn.lock b/yarn.lock
index 402ea2d..4ca548d 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2020,6 +2020,7 @@ __metadata:
     eslint-plugin-unicorn: "npm:^48.0.1"
     express: "npm:^4.18.2"
     express-bearer-token: "npm:^2.4.0"
+    express-rate-limit: "npm:^7.1.1"
     helmet: "npm:^5.1.1"
     lodash: "npm:^4.17.21"
     lowdb: "npm:^1.0.0"
@@ -4005,6 +4006,15 @@ __metadata:
   languageName: node
   linkType: hard
 
+"express-rate-limit@npm:^7.1.1":
+  version: 7.1.1
+  resolution: "express-rate-limit@npm:7.1.1"
+  peerDependencies:
+    express: ^4 || ^5
+  checksum: 28fc48e25e52b269a37a9e223fcd2a234022466645737c182eec2d2a72fdfdb42a396738a062924ee37ff56719957ae0ef092cfde510ba34b63d554ce094f6ba
+  languageName: node
+  linkType: hard
+
 "express@npm:^4.18.2":
   version: 4.18.2
   resolution: "express@npm:4.18.2"