diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index b4eaab1daa..f558ee5fe0 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -122,7 +122,7 @@ class Rack::Attack
   end
 
   throttle('throttle_email_confirmations/ip', limit: 25, period: 5.minutes) do |req|
-    req.throttleable_remote_ip if req.post? && (req.path_matches?('/auth/confirmation') || req.path == '/api/v1/emails/confirmations')
+    req.throttleable_remote_ip if (req.post? && (req.path_matches?('/auth/confirmation') || req.path == '/api/v1/emails/confirmations')) || ((req.put? || req.patch?) && req.path_matches?('/auth/setup'))
   end
 
   throttle('throttle_email_confirmations/email', limit: 5, period: 30.minutes) do |req|
@@ -133,6 +133,14 @@ class Rack::Attack
     end
   end
 
+  throttle('throttle_auth_setup/email', limit: 5, period: 10.minutes) do |req|
+    req.params.dig('user', 'email').presence if (req.put? || req.patch?) && req.path_matches?('/auth/setup')
+  end
+
+  throttle('throttle_auth_setup/account', limit: 5, period: 10.minutes) do |req|
+    req.warden_user_id if (req.put? || req.patch?) && req.path_matches?('/auth/setup')
+  end
+
   throttle('throttle_login_attempts/ip', limit: 25, period: 5.minutes) do |req|
     req.throttleable_remote_ip if req.post? && req.path_matches?('/auth/sign_in')
   end
diff --git a/spec/requests/auth/setup_spec.rb b/spec/requests/auth/setup_spec.rb
index 72413e1740..fa3c196805 100644
--- a/spec/requests/auth/setup_spec.rb
+++ b/spec/requests/auth/setup_spec.rb
@@ -24,15 +24,4 @@ RSpec.describe 'Auth Setup' do
       end
     end
   end
-
-  describe 'PUT /auth/setup' do
-    before { sign_in Fabricate(:user, confirmed_at: nil) }
-
-    it 'gracefully handles invalid nested params' do
-      put '/auth/setup?user=invalid'
-
-      expect(response)
-        .to have_http_status(400)
-    end
-  end
 end