diff --git a/apps/demos/package.json b/apps/demos/package.json
index 3803c321062b..7096e508c8b7 100644
--- a/apps/demos/package.json
+++ b/apps/demos/package.json
@@ -86,7 +86,8 @@
         "vuex": "4.0.0-beta.4",
         "whatwg-fetch": "2.0.4",
         "yargs": "17.7.2",
-        "zone.js": "0.15.1"
+        "zone.js": "0.15.1",
+        "express-rate-limit": "^8.3.1"
     },
     "devDependencies": {
         "@angular/platform-server": "21.1.6",
diff --git a/apps/demos/utils/server/csp-server.js b/apps/demos/utils/server/csp-server.js
index 014cf7f49a68..bb5a1d37f59f 100644
--- a/apps/demos/utils/server/csp-server.js
+++ b/apps/demos/utils/server/csp-server.js
@@ -5,6 +5,7 @@ const express = require('express');
 const cookieParser = require('cookie-parser');
 const { join, resolve } = require('path');
 const { readFileSync, readdirSync } = require('fs');
+const RateLimit = require('express-rate-limit');
 
 const root = join(__dirname, '..', '..', '..', '..');
 const indexFileName = 'index.html';
@@ -379,12 +380,17 @@ const app = express();
 app.use(cookieParser());
 app.use(cspMiddleware);
 
+const demoIndexLimiter = RateLimit({
+  windowMs: 15 * 60 * 1000,
+  max: 100,
+});
+
 app.post('/csp-report', cspReportHandler);
 app.get('/csp-violations', cspViolationsHandler);
 app.delete('/csp-violations', cspViolationsClearHandler);
 
-app.get('/apps/demos/Demos/:widget/:name/:approach', demoIndexHandler);
-app.get(`/apps/demos/Demos/:widget/:name/:approach/${indexFileName}`, demoIndexHandler);
+app.get('/apps/demos/Demos/:widget/:name/:approach', demoIndexLimiter, demoIndexHandler);
+app.get(`/apps/demos/Demos/:widget/:name/:approach/${indexFileName}`, demoIndexLimiter, demoIndexHandler);
 
 app.use(express.static(root, { index: [indexFileName] }));
 
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 52971a0e7d7b..69c7bebc5363 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -461,6 +461,9 @@ importers:
       esbuild-plugin-vue3:
         specifier: 0.3.2
         version: 0.3.2(cheerio@1.0.0-rc.10)(sass@1.97.1)
+      express-rate-limit:
+        specifier: ^8.3.1
+        version: 8.3.1(express@4.22.1)
       file-saver-es:
         specifier: 2.0.5
         version: 2.0.5
@@ -31584,6 +31587,11 @@ snapshots:
 
   exponential-backoff@3.1.1: {}
 
+  express-rate-limit@8.3.1(express@4.22.1):
+    dependencies:
+      express: 4.22.1
+      ip-address: 10.1.0
+
   express-rate-limit@8.3.1(express@5.2.1):
     dependencies:
       express: 5.2.1