diff --git a/packages/backend/src/routers/confirm-email.js b/packages/backend/src/routers/confirm-email.js
index 39fda0698..023205cd3 100644
--- a/packages/backend/src/routers/confirm-email.js
+++ b/packages/backend/src/routers/confirm-email.js
@@ -34,6 +34,11 @@ router.post('/confirm-email', auth, express.json(), async (req, res, next)=>{
     if(!req.body.code)
         req.status(400).send('code is required');
 
+    const svc_edgeRateLimit = req.services.get('edge-rate-limit');
+    if ( ! svc_edgeRateLimit.check('confirm-email') ) {
+        return res.status(429).send('Too many requests.');
+    }
+
     // Modules
     const db = req.services.get('database').get(DB_WRITE, 'auth');
 
diff --git a/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js b/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
index a272abc84..b30eb304a 100644
--- a/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
+++ b/packages/backend/src/services/abuse-prevention/EdgeRateLimitService.js
@@ -23,6 +23,10 @@ class EdgeRateLimitService extends BaseService {
                 limit: 10,
                 window: HOUR,
             },
+            ['confirm-email']: {
+                limit: 10,
+                window: HOUR,
+            },
             ['send-pass-recovery-email']: {
                 limit: 10,
                 window: HOUR,