diff --git a/backend/src/index.js b/backend/src/index.js
index e624a37..6aa838f 100644
--- a/backend/src/index.js
+++ b/backend/src/index.js
@@ -21,6 +21,8 @@ const PORT = process.env.PORT || 3000;
 
 const corsMiddleware = require('./middleware/cors');
 app.use(corsMiddleware);
+const rateLimitMiddleware = require('./middleware/rateLimit');
+app.use(rateLimitMiddleware);
 app.use(express.json());
 app.use(logger);
 
diff --git a/backend/src/middleware/rateLimit.js b/backend/src/middleware/rateLimit.js
new file mode 100644
index 0000000..53ffb61
--- /dev/null
+++ b/backend/src/middleware/rateLimit.js
@@ -0,0 +1,43 @@
+// 简单的请求频率限制中间件
+const rateLimit = {};
+
+const rateLimitMiddleware = (req, res, next) => {
+  const ip = req.ip || req.connection.remoteAddress;
+  const now = Date.now();
+  const windowMs = 60000; // 1分钟
+  const maxRequests = 100; // 每分钟最多100次
+  
+  if (!rateLimit[ip]) {
+    rateLimit[ip] = { count: 1, resetTime: now + windowMs };
+    return next();
+  }
+  
+  // 检查是否在时间窗口内
+  if (now > rateLimit[ip].resetTime) {
+    rateLimit[ip] = { count: 1, resetTime: now + windowMs };
+    return next();
+  }
+  
+  // 检查请求次数
+  if (rateLimit[ip].count >= maxRequests) {
+    return res.status(429).json({ 
+      error: 'Too many requests',
+      retryAfter: Math.ceil((rateLimit[ip].resetTime - now) / 1000)
+    });
+  }
+  
+  rateLimit[ip].count++;
+  next();
+};
+
+// 清理过期的记录（每5分钟）
+setInterval(() => {
+  const now = Date.now();
+  for (const ip in rateLimit) {
+    if (now > rateLimit[ip].resetTime) {
+      delete rateLimit[ip];
+    }
+  }
+}, 300000);
+
+module.exports = rateLimitMiddleware;