Middlewares is what you are looking for, you would most likely want a global middleware but you will want to exclude any traffic aimed at admin endpoints. There is packages like koa-ratelimit that could help you.
I don’t really have a good example of one at a global level but we do have a very basic and minimal one applied in the users-permissions plugin for the auth endpoints: https://github.com/strapi/strapi/blob/master/packages/plugins/users-permissions/server/middlewares/rateLimit.js