diff --git a/salt/salt/nginx/nginx.conf.jinja2 b/salt/salt/nginx/nginx.conf.jinja2
index f938a58..493fd01 100644
--- a/salt/salt/nginx/nginx.conf.jinja2
+++ b/salt/salt/nginx/nginx.conf.jinja2
@@ -29,6 +29,10 @@ http {
     sendfile on;
     {% endif %}
 
+    # define a rate-limiting zone to use, and return HTTP 429 if exceeded
+    limit_req_zone $binary_remote_addr zone=tildes_app:10m rate=4r/s;
+    limit_req_status 429;
+
     keepalive_timeout  65;
 
     # redirect non-https accesses to the https version
diff --git a/salt/salt/nginx/tildes.conf.jinja2 b/salt/salt/nginx/tildes.conf.jinja2
index e421b6c..5b383a6 100644
--- a/salt/salt/nginx/tildes.conf.jinja2
+++ b/salt/salt/nginx/tildes.conf.jinja2
@@ -73,6 +73,9 @@ server {
     }
 
     location @proxy_to_app {
+        # apply rate-limiting, allowing a burst above the limit
+        limit_req zone=tildes_app burst=5 nodelay;
+
         # Cornice adds the X-Content-Type-Options header, so it will end up
         # being duplicated since nginx is also configured to send it (above).
         # It's better to drop the header coming from Gunicorn here than to