diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json
index 5e20d649e..a7900c691 100644
--- a/npm-shrinkwrap.json
+++ b/npm-shrinkwrap.json
@@ -886,7 +886,8 @@
     "defaults": {
       "version": "1.0.3",
       "from": "defaults@>=1.0.3 <2.0.0",
-      "resolved": "https://registry.npmjs.org/defaults/-/defaults-1.0.3.tgz"
+      "resolved": "https://registry.npmjs.org/defaults/-/defaults-1.0.3.tgz",
+      "dev": true
     },
     "defined": {
       "version": "1.0.0",
@@ -1171,11 +1172,6 @@
         }
       }
     },
-    "express-rate-limit": {
-      "version": "2.6.0",
-      "from": "express-rate-limit@>=2.6.0 <3.0.0",
-      "resolved": "https://registry.npmjs.org/express-rate-limit/-/express-rate-limit-2.6.0.tgz"
-    },
     "express-session": {
       "version": "1.15.1",
       "from": "express-session@>=1.11.3 <2.0.0",
diff --git a/package.json b/package.json
index df95979bc..11ada9578 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,6 @@
     "ejs": "^2.2.4",
     "ejs-cli": "^1.2.0",
     "express": "^4.12.4",
-    "express-rate-limit": "^2.6.0",
     "express-session": "^1.11.3",
     "gulp-sass": "^3.0.0",
     "hat": "0.0.3",
diff --git a/setup/start/nginx/appconfig.ejs b/setup/start/nginx/appconfig.ejs
index c8bd2a138..aadca412c 100644
--- a/setup/start/nginx/appconfig.ejs
+++ b/setup/start/nginx/appconfig.ejs
@@ -83,6 +83,12 @@ server {
             client_max_body_size 1m;
         }
 
+        location ~ ^/api/v1/(developer|session)/login$ {
+            proxy_pass   http://127.0.0.1:3000;
+            client_max_body_size 1m;
+            limit_req zone=admin_login burst=5;
+        }
+
         # the read timeout is between successive reads and not the whole connection
         location ~ ^/api/v1/apps/.*/exec$ {
             proxy_pass   http://127.0.0.1:3000;
@@ -99,7 +105,6 @@ server {
             root   <%= sourceDir %>/webadmin/dist;
             index  index.html index.htm;
         }
-
 <% } else if ( endpoint === 'app' ) { %>
         proxy_pass http://127.0.0.1:<%= port %>;
 <% } else if ( endpoint === 'splash' ) { %>
diff --git a/setup/start/nginx/nginx.conf b/setup/start/nginx/nginx.conf
index 602069a08..66313f644 100644
--- a/setup/start/nginx/nginx.conf
+++ b/setup/start/nginx/nginx.conf
@@ -33,6 +33,9 @@ http {
     # keep-alive connections timeout in 65s. this is because many browsers timeout in 60 seconds
     keepalive_timeout  65s;
 
+    # zones for rate limiting
+    limit_req_zone $binary_remote_addr zone=admin_login:10m rate=1r/s; # 1 request a second
+
     # HTTP server
     server {
         listen      80;
diff --git a/src/server.js b/src/server.js
index d7b9b32c7..7a57e2f08 100644
--- a/src/server.js
+++ b/src/server.js
@@ -18,7 +18,6 @@ var assert = require('assert'),
     middleware = require('./middleware'),
     passport = require('passport'),
     path = require('path'),
-    RateLimit = require('express-rate-limit'),
     routes = require('./routes/index.js');
 
 var gHttpServer = null;
@@ -44,19 +43,12 @@ function initializeExpressSync() {
     // for rate limiting
     app.enable('trust proxy');
 
-    var limiter = new RateLimit({
-        windowMs: 60*1000,  // 1 minute
-        max: 200,           // limit each IP to 200 requests per windowMs
-        delayMs: 0          // disable delaying - full speed until the max limit is reached
-    });
-
     if (process.env.BOX_ENV !== 'test') app.use(middleware.morgan('Box :method :url :status :response-time ms - :res[content-length]', { immediate: false }));
 
     var router = new express.Router();
     router.del = router.delete; // amend router.del for readability further on
 
     app
-       .use(limiter)
        .use(middleware.timeout(REQUEST_TIMEOUT))
        .use(json)
        .use(urlencoded)