diff --git a/ass.js b/ass.js
index 4f8ab8c..70d95c5 100755
--- a/ass.js
+++ b/ass.js
@@ -13,7 +13,6 @@ const { host, port, useSsl, diskFilePath, isProxied } = require('./config.json')
 const fs = require('fs-extra');
 const express = require('express');
 const helmet = require('helmet');
-const rateLimit = require('express-rate-limit');
 const uploadRouter = require('./routers/upload');
 const resourceRouter = require('./routers/resource');
 const { path, log } = require('./utils');
@@ -57,12 +56,6 @@ app.use(helmet.referrerPolicy());
 app.use(helmet.dnsPrefetchControl());
 useSsl && app.use(helmet.hsts({ preload: true })); // skipcq: JS-0093
 
-// Rate limit middleware
-app.use(rateLimit({
-	windowMs: 1000 * 60, // 60 seconds // skipcq: JS-0074
-	max: 90 // Limit each IP to 30 requests per windowMs // skipcq: JS-0074
-}));
-
 // Don't process favicon requests (custom middleware)
 app.use((req, res, next) => (req.url.includes('favicon.ico') ? res.sendStatus(CODE_NO_CONTENT) : next()));
 
diff --git a/routers/upload.js b/routers/upload.js
index 44b1c8c..6dfbb1b 100644
--- a/routers/upload.js
+++ b/routers/upload.js
@@ -1,5 +1,6 @@
 const fs = require('fs-extra');
 const marked = require('marked');
+const rateLimit = require('express-rate-limit');
 const { DateTime } = require('luxon');
 const { WebhookClient, MessageEmbed } = require('discord.js');
 const { doUpload, processUploaded } = require('../storage');
@@ -21,6 +22,12 @@ router.get('/', (_req, res, next) =>
 		.then((d) => res.render('index', { data: d }))
 		.catch(next));
 
+// Rate limit middleware
+router.use('/', rateLimit({
+	windowMs: 1000 * 60, // 60 seconds // skipcq: JS-0074
+	max: 90 // Limit each IP to 30 requests per windowMs // skipcq: JS-0074
+}));
+
 // Block unauthorized requests and attempt token sanitization
 router.post('/', (req, res, next) => {
 	req.headers.authorization = req.headers.authorization || '';