diff --git a/server/api/index.js b/server/api/index.js
index 59c0746b5..04b252b33 100644
--- a/server/api/index.js
+++ b/server/api/index.js
@@ -6,6 +6,7 @@ const fs = require('fs');
 var express = require('express');
 var bodyParser = require('body-parser');
 var authJwt = require('./jwt-helper');
+const rateLimit = require("express-rate-limit");
 
 var prjApi = require('./projects');
 var authApi = require('./auth');
@@ -40,6 +41,14 @@ function init(_server, _runtime) {
             pluginsApi.init(runtime, authJwt.verifyToken, verifyGroups);
             apiApp.use(pluginsApi.app());
 
+            const limiter = rateLimit({
+                windowMs: 5 * 60 * 1000, // 5 minutes
+                max: 100 // limit each IP to 100 requests per windowMs
+            });
+              
+            //  apply to all requests
+            apiApp.use(limiter);
+
             /**
              * GET Server setting data
              */
diff --git a/server/package.json b/server/package.json
index 667a002c2..851ebcc15 100644
--- a/server/package.json
+++ b/server/package.json
@@ -23,6 +23,7 @@
     "bluebird": "^3.5.3",
     "body-parser": "^1.18.3",
     "express": "4.16.4",
+    "express-rate-limit": "^5.5.0",
     "fs-extra": "^7.0.1",
     "ip": "^1.1.5",
     "jsonwebtoken": "^8.5.1",