There are multiple ways to retrieve the UUID from a username:

GET https://api.mojang.com/users/profiles/minecraft/{name}

(Limited to 600 requests / 10 minutes, or 1/s on average)

POST https://api.mojang.com/profiles/minecraft

["player1", "player" ...]

(Same rate limit)

Unfortunately, these rate limits also limit the quality of third party products, as this makes it impossible to access user data via username. I am aware that usernames should not be used for user reliable identification, however they are still the best way when dealing with user input (UUIDs not so much). E.g. 'What's your Minecraft account?'

GET https://sessionserver.mojang.com/session/minecraft/profile/{uuid}

The profiles API has a better approach at rate limiting: Instead of limiting the overall requests per time, this has a much stricter limit for a UUID per time. That means you can make as many requests to the API as you like, as long as you don't request the same UUID within one minute.
This limit requires caching request responses, but that problem can easily be solved at the client side.

This issue could be fixed by applying the same kind of time + username rate limit to one of the two username endpoints.

Please keep in mind that many clients will access the profile info for the username's UUID instantly upon retrieval of the former, so you may want to change or provide a new endpoint for username -> profile if that's reasonable from the API point of view.

Please let me know if anything is unclear.

This problem was also partly discussed with @KrisJelbring at WEB-12.