diff --git a/api/controllers/BooksController.js b/api/controllers/BooksController.js
index cade2c1..c1d0f20 100644
--- a/api/controllers/BooksController.js
+++ b/api/controllers/BooksController.js
@@ -31,5 +31,25 @@ module.exports = {
         error: e.message
       })
     }
+  },
+
+  list: async function (req, res) {
+    try {
+      const body = req.allParams()
+      if (!body) throw new Error('Missing parameters')
+
+      const books = await Book.find(body)
+
+      if (!books.length) {
+        return res.status(404).json({
+          error: 'No books matching those parameters were found.'
+        })
+      }
+      return res.json(books)
+    } catch (e) {
+      return res.status(500).json({
+        error: e.message
+      })
+    }
   }
 }
diff --git a/config/http.js b/config/http.js
index 3cf438f..e9603bc 100644
--- a/config/http.js
+++ b/config/http.js
@@ -9,6 +9,15 @@
  * https://sailsjs.com/config/http
  */
 
+const rateLimit = require('express-rate-limit')
+const rateLimiter = rateLimit({
+  windowMs: 10 * 60 * 1000, // 10 minutes
+  max: 100, // limit each IP to 100 requests per windowMs
+  skip (req, res) {
+    return !req.path.startsWith('/api')
+  }
+})
+
 module.exports.http = {
 
   /****************************************************************************
@@ -29,17 +38,18 @@ module.exports.http = {
     *                                                                          *
     ***************************************************************************/
 
-    // order: [
-    //   'cookieParser',
-    //   'session',
-    //   'bodyParser',
-    //   'compress',
-    //   'poweredBy',
-    //   'router',
-    //   'www',
-    //   'favicon',
-    // ],
-
+    order: [
+      'rateLimit',
+      'cookieParser',
+      'session',
+      'bodyParser',
+      'compress',
+      'poweredBy',
+      'router',
+      'www',
+      'favicon'
+    ],
+    rateLimit: rateLimiter,
 
     /***************************************************************************
     *                                                                          *
diff --git a/config/routes.js b/config/routes.js
index 5b79955..6dd624b 100644
--- a/config/routes.js
+++ b/config/routes.js
@@ -26,10 +26,6 @@ module.exports.routes = {
     view: 'pages/homepage'
   },
 
-  'GET /test': {
-    view: 'pages/test'
-  },
-
   /***************************************************************************
   *                                                                          *
   * More custom routes here...                                               *
@@ -51,6 +47,11 @@ module.exports.routes = {
     action: 'publish'
   },
 
+  'GET /api/books': {
+    controller: 'books',
+    action: 'list'
+  },
+
 
   //  ╦ ╦╔═╗╔╗ ╦ ╦╔═╗╔═╗╦╔═╔═╗
   //  ║║║║╣ ╠╩╗╠═╣║ ║║ ║╠╩╗╚═╗
diff --git a/package.json b/package.json
index 75742c7..a942053 100644
--- a/package.json
+++ b/package.json
@@ -5,15 +5,16 @@
   "description": "a Sails application",
   "keywords": [],
   "dependencies": {
-    "sails": "^1.0.2",
-    "grunt": "1.0.1",
-    "sails-hook-grunt": "^3.0.2",
-    "sails-hook-orm": "^2.0.0-16",
-    "sails-hook-sockets": "^1.4.0",
     "@sailshq/connect-redis": "^3.2.1",
-    "@sailshq/socket.io-redis": "^5.2.0",
     "@sailshq/lodash": "^3.10.3",
-    "async": "2.0.1"
+    "@sailshq/socket.io-redis": "^5.2.0",
+    "async": "2.0.1",
+    "express-rate-limit": "^3.2.1",
+    "grunt": "^1.0.3",
+    "sails": "^1.0.2",
+    "sails-hook-grunt": "^3.0.2",
+    "sails-hook-orm": "^2.1.1",
+    "sails-hook-sockets": "^1.4.0"
   },
   "devDependencies": {
     "@sailshq/eslint": "^4.19.3"