The OP server limits each origin to MAX_INDEXING_REQUESTS (10) indexing requests per 60-second window.

Rate limit exceeded

What it tries to do: Fire 11 rapid indexing requests from the same origin, exceeding the per-origin limit.

Trigger:

Promise.all(Array.from({length: 11}, () => fetch('https://octothorp.es/index?uri=...')))

Expected defense: The 11th request returns Rate limit exceeded. Please try again later.

Run it

Warning: Running this attack consumes demo.ideastore.dev’s rate-limit budget for the next 60 seconds. Other defense demos clicked within that window will also return 429 — that is the rate limit working, not their specific defenses failing.