diff --git a/config/dev.yaml b/config/dev.yaml
index 110fd3d9..8b6a2285 100644
--- a/config/dev.yaml
+++ b/config/dev.yaml
@@ -20,6 +20,9 @@ server:
   collaborationPort: 5003
   maxDocumentVersion: 20 # 最大版本记录数
   logRetainDays: 3 # 日志保留天数，比如只保留近三天日志
+  enableRateLimit: true # 是否限流
+  rateLimitWindowMs: 60000 # 限流时间
+  rateLimitMax: 1000 # 单位限流时间内单个 up 最大访问数量
 
 # 数据库配置
 db:
diff --git a/packages/server/src/main.ts b/packages/server/src/main.ts
index 89d40720..6ff18043 100644
--- a/packages/server/src/main.ts
+++ b/packages/server/src/main.ts
@@ -7,6 +7,7 @@ import { HttpResponseTransformInterceptor } from '@transforms/http-response.tran
 import * as compression from 'compression';
 import * as cookieParser from 'cookie-parser';
 import * as express from 'express';
+import rateLimit from 'express-rate-limit';
 import helmet from 'helmet';
 
 import { AppModule } from './app.module';
@@ -22,6 +23,14 @@ async function bootstrap() {
     methods: 'GET,HEAD,PUT,PATCH,POST,DELETE,OPTIONS',
     credentials: true,
   });
+
+  config.get('server.enableRateLimit') &&
+    app.use(
+      rateLimit({
+        windowMs: config.get('server.rateLimitWindowMs'),
+        max: config.get('server.rateLimitMax'),
+      })
+    );
   app.use(cookieParser());
   app.use(compression());
   app.use(helmet());