diff --git a/l4d2web/tests/test_profile.py b/l4d2web/tests/test_profile.py
index 0189321..98fdf96 100644
--- a/l4d2web/tests/test_profile.py
+++ b/l4d2web/tests/test_profile.py
@@ -231,3 +231,30 @@ def test_new_password_works_for_login(app_and_user):
     )
     assert response.status_code == 302
     assert response.headers["Location"].endswith("/dashboard")
+
+
+def test_post_password_rate_limited(app_and_user):
+    from l4d2web.routes.profile_routes import (
+        PROFILE_PW_RATE_LIMIT_MAX_ATTEMPTS,
+        reset_profile_password_rate_limits,
+    )
+    reset_profile_password_rate_limits()
+
+    app, uid, marker = app_and_user
+    client = _logged_in_client(app, uid, marker)
+
+    for _ in range(PROFILE_PW_RATE_LIMIT_MAX_ATTEMPTS):
+        _post_pw(
+            client,
+            current_password="WRONG",
+            new_password="newpass12",
+            confirm_new_password="newpass12",
+        )
+
+    blocked = _post_pw(
+        client,
+        current_password="WRONG",
+        new_password="newpass12",
+        confirm_new_password="newpass12",
+    )
+    assert blocked.status_code == 429