diff --git a/server/apiServer.ts b/server/apiServer.ts
index 6c490053..dafec1b8 100644
--- a/server/apiServer.ts
+++ b/server/apiServer.ts
@@ -79,6 +79,12 @@ export function createApiServer() {
     // Add request timeout middleware
     apiServer.use(requestTimeoutMiddleware(60000)); // 60 second timeout
 
+    apiServer.use(logIncomingMiddleware);
+
+    if (build !== "oss") {
+        apiServer.use(`${prefix}/hybrid`, hybridRouter); // put before rate limiting because we will rate limit there separately because some of the routes are heavily used
+    }
+
     if (!dev) {
         apiServer.use(
             rateLimit({
@@ -101,11 +107,7 @@ export function createApiServer() {
     }
 
     // API routes
-    apiServer.use(logIncomingMiddleware);
     apiServer.use(prefix, unauthenticated);
-    if (build !== "oss") {
-        apiServer.use(`${prefix}/hybrid`, hybridRouter);
-    }
     apiServer.use(prefix, authenticated);
 
     // WebSocket routes
diff --git a/server/private/routers/hybrid.ts b/server/private/routers/hybrid.ts
index a8b6a174..d9178446 100644
--- a/server/private/routers/hybrid.ts
+++ b/server/private/routers/hybrid.ts
@@ -227,6 +227,8 @@ export type UserSessionWithUser = {
 export const hybridRouter = Router();
 hybridRouter.use(verifySessionRemoteExitNodeMiddleware);
 
+// TODO: ADD RATE LIMITING TO THESE ROUTES AS NEEDED BASED ON USAGE PATTERNS
+
 hybridRouter.get(
     "/general-config",
     async (req: Request, res: Response, next: NextFunction) => {