Rate limiting in web apps: what to protect before picking a library

Before you install any rate limiting middleware in Next.js, you need to define what asset you're protecting, what abuse you're expecting, and what a false positive actually costs you. The library is the last decision. The policy is the first.