diff --git a/node_modules/connect-architect/connect.session/session-ext.js b/node_modules/connect-architect/connect.session/session-ext.js
index 367125a8..3b8fc9e9 100644
--- a/node_modules/connect-architect/connect.session/session-ext.js
+++ b/node_modules/connect-architect/connect.session/session-ext.js
@@ -1,5 +1,6 @@
 var Session = require("connect").session;
 var assert = require("assert");
+var error = require("http-error");
 
 module.exports = function startup(options, imports, register) {
 
@@ -29,6 +30,15 @@ module.exports = function startup(options, imports, register) {
     var sessionRoutes = connectModule();
     connect.useSession(sessionRoutes);
 
+
+    sessionRoutes.use(
+        function(req, res, next) {
+            if (/^\/geckolala\//.test(req.url))
+                return next(new error.TooManyRequests("Rate limit exceeded"));
+            next();
+        }
+    );
+
     sessionRoutes.use(Session(sessionOptions, cookie));
 
     register(null, {
diff --git a/plugins/c9.preview/preview.js b/plugins/c9.preview/preview.js
index 0f2c1a98..657df128 100644
--- a/plugins/c9.preview/preview.js
+++ b/plugins/c9.preview/preview.js
@@ -20,7 +20,7 @@ define(function(require, exports, module) {
         var handler = imports["preview.handler"];
         var userContent = imports["user-content.redirect"];
         var getVfsServers = imports["vfs.serverlist"].getServers;
-        
+        var ratelimit = require("c9/ratelimit");
         
         var frontdoor = require("frontdoor");
         var error = require("http-error");
@@ -52,6 +52,7 @@ define(function(require, exports, module) {
         }, [
             requestTimeout(15*60*1000),
             require("./lib/middleware/sanitize-path-param"),
+            ratelimit("username", 20 * 1000, 1000),
             handler.getProjectSession(),
             handler.getRole(db),
             handler.getProxyUrl(function() {