Section
9.1.2
Sub Level
General
The application should make itself difficult to scan by requiring a valid session with each request and limiting the rate of requests for that session