Rodrigo Mansueli thanks I appreciate your reply. I've instead set up insert/update rate limiting as above and an IP deny list which is checked during the pre-request. I've got some simple logs to monitor request methods per IP and might try and implement some kind of alerting so I can then add those IPs to the denylist if needed. Would be nice it was possible to trigger this via the logging mechanisms automatically

Oh, and thank you for your excellent article! Hoping this can be used to protect my prod DB from abuse

I'm curious- you say it isn't a great idea to rate limit GET requests using this strategy - but then what's to stop someone ddos-ing you (making many repeated requests to the db) simply by selected data frequently?