diff --git a/create-a-container/server.js b/create-a-container/server.js
index b36ad094..1973c0e7 100644
--- a/create-a-container/server.js
+++ b/create-a-container/server.js
@@ -90,13 +90,16 @@ async function main() {
   });
   app.use(express.static('public'));
 
-  // We rate limit unsucessful (4xx/5xx statuses) to only 10 per 5 minutes, this
+  // We rate limit unsuccessful (4xx/5xx statuses, excluding 404) to only 10 per 5 minutes, this
   // should allow legitimate users a few tries to login or experiment without
-  // allowing bad-actors to abuse requests.
+  // allowing bad-actors to abuse requests. 404s are excluded because browsers
+  // (especially Safari) automatically request favicon/apple-touch-icon paths that
+  // don't exist, and those harmless misses should not burn the rate-limit budget.
   app.use(RateLimit({
     windowMs: 5 * 60 * 1000,
     max: 10,
     skipSuccessfulRequests: true,
+    requestWasSuccessful: (req, res) => res.statusCode < 400 || res.statusCode === 404,
   }));
 
   // Set version info once at startup in app.locals