Exposing our APIs to the public internet requires aggressive, multi-layered defensive measures. To protect against Layer 7 application attacks (like SQL injection and Cross-Site Scripting), we have deployed an intelligent Web Application Firewall (WAF) at our edge. Furthermore, to ensure app scalability and prevent volumetric DDoS attacks or brute-force bot scraping, we have implemented strict API rate limiting. Using a token-bucket algorithm tied to the user's JWT and IP address, we strictly throttle excessive requests, automatically returning 429 Too Many Requests errors to malicious actors before they ever reach our application servers.