Reputation: 445
How to prevent abuse of internal API calls in a website without user interaction (username, password)?
Assuming a website front-end is internally calling a backend api to fetch the current time and show it on the webpage. How to prevent a malicious user from monitoring the GET request and simply abusing it.
I have seen methods like JWT but this requires some interaction from a user to input a username and a password. What other methods can fit in a scenario like the one above to protect internal api calls.
Upvotes: 1
Views: 528
Answers (1)
Reputation: 1283
There are no guaranteed ways to keep a public API from being abused.
Authentication could help, but if the abuser has rights to the service already (has their JWT in your example), they could just use that token when making the calls to the API. This would help identify the abusing user so you can shut off their access, so giving some unique identifier to each user is probably not a bad idea.
More likely, you're looking for a way to throttle your API. You could setup your throttling in such a way that it identifies a user by IP address or something else relatively difficult for the attacker to change. It would only allow a certain number of requests per time window (e.g. 1000 requests per half hour).
There are several ways to implement things like this in code. You can also use network-level protections like a WAF or similar proxy.
Upvotes: 1
Related Questions
- How to protect public APIs (no credentials) from being exploited?
- Prevent API "spoofing" or "hacking"
- How to protect API?
- Prevent malicious users from abusing and spamming unauthenticated open APIs
- How do I prevent abuse of my api's by 3rd parties in javascript?
- How to prevent API calls outside a web site
- API Security w/o User Accounts
- Rest API security without authentication on external requests
- How do I prevent a user from accessing a server's API directly and instead force them to use the UI?
- How can I protect access to an API without having tokens/passwords on the URL?