diff --git a/config/initializers/rack_attack.rb b/config/initializers/rack_attack.rb
index 46ca2cdcb..f04ecaadb 100644
--- a/config/initializers/rack_attack.rb
+++ b/config/initializers/rack_attack.rb
@@ -104,6 +104,11 @@ class Rack::Attack
   throttle('api/v1/widget/contacts', limit: 60, period: 1.hour) do |req|
     req.ip if req.path_without_extentions == '/api/v1/widget/contacts' && (req.patch? || req.put?)
   end
+
+  ## Prevent Conversation Bombing through multiple sessions
+  throttle('widget?website_token={website_token}&cw_conversation={x-auth-token}', limit: 5, period: 1.hour) do |req|
+    req.ip if req.path_without_extentions == '/widget' && ActionDispatch::Request.new(req.env).params['cw_conversation'].blank?
+  end
 end
 
 # Log blocked events