Explain how rate limiting works in a framework like Spring Boot, and how would you implement it to protect an API?