diff --git a/.env-example b/.env-example
index e14912a..5f4827f 100644
--- a/.env-example
+++ b/.env-example
@@ -1,5 +1,10 @@
+# connection details for this service
 FRONTEND_URL=http://localhost:3000
 BACKEND_URL=http://localhost:3001
 
 SESSION_SECRET=
 JWT_SECRET=
+
+# rate limiting
+RATE_LIMIT_WINDOW_MS=15*60*1000
+RATE_LIMIT_MAX_REQ=100
diff --git a/src/app.ts b/src/app.ts
index a6f86bf..93a6dcd 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -40,12 +40,12 @@ app.set('view engine', 'ejs');
 app.use('/public', express.static(`${__dirname}/public`));
 app.use('/css', express.static(`${__dirname}/css`));
 app.use('/assets', express.static(`${__dirname}/assets`));
-app.use('/auth', auth);
-app.use('/healthcheck', healthcheck);
+app.use('/auth', rateLimiter, auth);
+app.use('/healthcheck', rateLimiter, healthcheck);
 
-app.use('/:lang/publish', publish, rateLimiter, ensureAuthenticated);
-app.use('/:lang/dataset', view, rateLimiter, ensureAuthenticated);
-app.use('/:lang/healthcheck', healthcheck);
+app.use('/:lang/publish', rateLimiter, ensureAuthenticated, publish);
+app.use('/:lang/dataset', rateLimiter, ensureAuthenticated, view);
+app.use('/:lang/healthcheck', rateLimiter, healthcheck);
 
 app.get('/', (req: Request, res: Response) => {
     const lang = req.headers['accept-language'] || req.headers['Accept-Language'] || req.i18n.language || 'en-GB';
diff --git a/src/middleware/rate-limiter.ts b/src/middleware/rate-limiter.ts
index 5a0d7dd..149e6fa 100644
--- a/src/middleware/rate-limiter.ts
+++ b/src/middleware/rate-limiter.ts
@@ -1,8 +1,8 @@
 import rateLimit from 'express-rate-limit';
 
 export const rateLimiter = rateLimit({
-    windowMs: 15 * 60 * 1000,
-    max: 100,
+    windowMs: parseInt(process.env.RATE_LIMIT_WINDOW_MS || '60000', 10),
+    max: parseInt(process.env.RATE_LIMIT_MAX_REQ || '100', 10),
     standardHeaders: true,
     legacyHeaders: false,
     handler: (req, res) => {
diff --git a/src/middleware/session.ts b/src/middleware/session.ts
index 054e79e..dede9f4 100644
--- a/src/middleware/session.ts
+++ b/src/middleware/session.ts
@@ -1,7 +1,7 @@
 import session from 'express-session';
 
 export default session({
-    secret: process.env.SESSION_SECRET || 'default',
+    secret: process.env.SESSION_SECRET || '',
     resave: false,
     saveUninitialized: false,
     cookie: {