In addition to controlling which URLs a client can access, you can control how often. This can be especially important to preventing scouting and brute force password attacks.
|If a client is not really interested in actually receiving a response and/or attempting to authenticate or connecting, but is simply attempting to consume resources in order to deprive legitimate clients, consider more than simple HTTP-layer rate limiting. For details, seeDoS prevention.
If you need to restrict access as well as rate limiting, you can do both at the same time. For details, see Combination access control & rate limiting.