diff --git a/backend/src/index.ts b/backend/src/index.ts
index 97d895d..a4bfcb9 100644
--- a/backend/src/index.ts
+++ b/backend/src/index.ts
@@ -10,10 +10,13 @@ import playlistRoutes from "./routes/playlist.routes";
 import adminRoutes from "./routes/admin.routes";
 import streamRoutes from "./routes/stream.routes";
 import userRoutes from "./routes/user.routes";
+import logger from "./utils/logger";
+import { loginRateLimiter, adminRateLimiter } from "./middleware/rateLimiter";
 
 dotenv.config();
 
 const app = express();
+app.set("trust proxy", 1);
 const PORT = parseInt(process.env.PORT ?? "4000");
 
 const allowedOrigins = (process.env.FRONTEND_URL ?? "http://localhost:5173")
@@ -35,21 +38,22 @@ app.get("/api/health", (_req, res) => {
   res.json({ status: "ok", timestamp: new Date().toISOString() });
 });
 
+app.use("/api/auth/login", loginRateLimiter);
 app.use("/api/auth", authRoutes);
 app.use("/api/videos", videoRoutes);
 app.use("/api/playlists", playlistRoutes);
-app.use("/api/admin", adminRoutes);
+app.use("/api/admin", adminRateLimiter, adminRoutes);
 app.use("/api/stream", streamRoutes);
 app.use("/api/users", userRoutes);
 
 AppDataSource.initialize()
   .then(() => {
-    console.log("Database connected");
+    logger.info("Database connected");
     app.listen(PORT, () => {
-      console.log(`Server running on port ${PORT}`);
+      logger.info(`Server running on port ${PORT}`);
     });
   })
-  .catch((err) => {
-    console.error("Database connection failed:", err);
+  .catch((err: unknown) => {
+    logger.error("Database connection failed", { err });
     process.exit(1);
   });
diff --git a/backend/src/middleware/rateLimiter.ts b/backend/src/middleware/rateLimiter.ts
new file mode 100644
index 0000000..ab73c1f
--- /dev/null
+++ b/backend/src/middleware/rateLimiter.ts
@@ -0,0 +1,25 @@
+import rateLimit from "express-rate-limit";
+
+const rateLimitResponse = { error: "RATE_LIMIT_EXCEEDED" };
+
+/** POST /api/auth/login — 10 req / 15 min par IP */
+export const loginRateLimiter = rateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 10,
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: (_req, res) => {
+    res.status(429).json(rateLimitResponse);
+  },
+});
+
+/** /api/admin/* — 50 req / min par IP */
+export const adminRateLimiter = rateLimit({
+  windowMs: 60 * 1000,
+  max: 50,
+  standardHeaders: true,
+  legacyHeaders: false,
+  handler: (_req, res) => {
+    res.status(429).json(rateLimitResponse);
+  },
+});