Railway's system for dealing with hackers is a $5/mo fee gate.
Railway plays around vibecoding as they go along, and their tech practices don't inspire confidence either. Unlike other PaaS like Render or Heroku, I doubt Railway has adequate rate-limiting to stop bad apples.
Yeah, and rate-limiting is only one of the things a PaaS needs to handle, to avoid looking like a bad actor to the underlying platform. The trickiest thing to handle is people using your PaaS to host malware, because:
1. There may be no simple rule of thumb like "suddenly using tons of bandwidth"
2. Bad actors can open up so many accounts, you have to close them automatically
3. Malware can infect a good actor, who is unaware or struggling to deal with it