Show practical implementation: "I define a fixed_window limiter for login attempts — 5 per minute per IP. The controller injects the factory, calls consume(), and throws a TooManyRequestsHttpException with Retry-After header if the limit is hit."
Symfony RateLimiter provides token bucket and sliding window algorithms. Configure limiters in framework.yaml with rate_limiter key, defining policy, limit, and interval. Inject using #[Autowire] with the limiter factory, then call consume() to check and enforce limits. Use cases: login attempts (prevent brute force), API endpoints (throttle per API key), form submissions (prevent spam), and password reset requests (prevent email bombing). Strong candidates discuss: different algorithms (token bucket allows bursts, sliding window is stricter), using client IP versus user ID as the limiter key, returning proper 429 responses with Retry-After headers, and storing limiter state in Redis for multi-server setups.
Tests security-aware development. Candidates who do not rate limit sensitive endpoints leave applications vulnerable to brute force and abuse. Those who understand different algorithms and choose the right one for each use case build secure systems.