Security: No rate limiting on public subscription endpoint

[philipithomas]

Description

In app/controllers/public_pages_controller.rb, after passing hCaptcha, there is no server-side rate limiting on subscription creation. hCaptcha provides some protection but is not a substitute for rate limiting.

Recommendation

Implement rate limiting using rack-attack or similar middleware.

Severity

Medium