diff --git a/backend/package.json b/backend/package.json
index 38e15b8b..3922e0eb 100644
--- a/backend/package.json
+++ b/backend/package.json
@@ -18,6 +18,7 @@
     "cors": "^2.8.5",
     "dotenv": "^16.4.5",
     "express": "^4.21.1",
+    "express-rate-limit": "^7.5.1",
     "express-session": "^1.18.1",
     "mongoose": "^8.8.2",
     "passport": "^0.7.0",
diff --git a/backend/server.js b/backend/server.js
index 3f19f00b..a72a9ff1 100644
--- a/backend/server.js
+++ b/backend/server.js
@@ -3,6 +3,7 @@ const mongoose = require('mongoose');
 const session = require('express-session');
 const passport = require('passport');
 const bodyParser = require('body-parser');
+const rateLimit = require('express-rate-limit');
 require('dotenv').config();
 const cors = require('cors');
 
@@ -24,6 +25,19 @@ app.use(session({
 app.use(passport.initialize());
 app.use(passport.session());
 
+// Rate limiting — 10 attempts per 15-minute window per IP on auth endpoints
+const authLimiter = rateLimit({
+    windowMs: 15 * 60 * 1000,
+    max: 10,
+    standardHeaders: true,
+    legacyHeaders: false,
+    message: { message: 'Too many attempts, please try again after 15 minutes.' },
+    skipSuccessfulRequests: true,
+});
+
+app.use('/api/auth/login', authLimiter);
+app.use('/api/auth/signup', authLimiter);
+
 // Routes
 const authRoutes = require('./routes/auth');
 app.use('/api/auth', authRoutes);