diff --git a/app/controllers/password_resets_controller.rb b/app/controllers/password_resets_controller.rb
index 202c54930..a98c1c733 100644
--- a/app/controllers/password_resets_controller.rb
+++ b/app/controllers/password_resets_controller.rb
@@ -3,6 +3,8 @@
 class PasswordResetsController < ApplicationController
   respond_to :html, :xml, :json
 
+  rate_limit :create, rate: 1.0/1.hour, burst: 3
+
   def create
     @user = User.find_by_name(params.dig(:user, :name))