Add rate limiting to mitigate bot-triggered autoscaling

[GeneralJerel]

Summary

Render logs from 2026-03-26 show automated scraping from a single IP (178.22.106.230) causing burst traffic patterns that likely triggered the autoscaler to scale up to 2 instances on March 25.

Evidence

• Spoofed user-agent: Claims Chrome 130 on Nexus 5 / Android 6.0 — a 2013 device on an unsupported OS. Almost certainly a bot.
• Burst pattern: ~13 requests in 10 seconds, then ~20+ requests in 2 minutes from the same IP.
• Autoscale event: Render scaled from 1 → 2 instances on March 25 at 3:39 PM, likely triggered by similar burst traffic.
• Additional scanner traffic observed from Censys (CensysInspect/1.1) and two IPs with identical unusual user-agents (Firefox 120 on 32-bit Linux).

Impact

• Unnecessary autoscaling costs on Render Starter plan
• No actual performance or availability issue — response times remained 3-15ms

Suggested mitigations

• Add rate limiting (e.g., Render's built-in rate limiting, or Cloudflare in front)
• Consider bot detection / user-agent filtering for obviously spoofed clients
• Review Render autoscaling thresholds to avoid scaling on low-volume bot bursts