Laravel 12 introduces an impressive new security feature: Response-Based Rate Limiting with the new after() hook.

The Problem: Traditional rate limiting restricts requests before execution. However, there are scenarios where limiting should be based on actual outcomes.

The Solution: With this new approach, rate limiting occurs after the response is generated. This means only failed attempts, such as 404 errors or authentication failures, are counted against the user's limit.

Why This Matters:

- Prevents resource ID enumeration
- More effectively stops brute force attacks
- Ensures legitimate users are not penalized for valid requests
- Provides smarter API protection

Example Use Case: If a user attempts to access /products/12345 and the product does not exist, only the 404 errors will count against their limit. This allows legitimate users to browse the catalog without hitting limits, while still deterring attackers who try to enumerate IDs.