In addition to controlling which URLs a client can access, you can control how often. This can be especially important to preventing scouting and brute force password attacks.
|If a client is not really interested in actually receiving a response and/or attempting to authenticate or connecting, but is simply attempting to consume resources in order to deprive legitimate clients, consider more than simple HTTP-layer rate limiting. For details, seeDoS prevention.|
If you need to restrict access as well as rate limiting, you can do both at the same time. For details, see Combination access control & rate limiting.