In this article, we will discuss several possible ways to protect the API from abuse. As the old saying goes, there is no such thing as a completel...
For further actions, you may consider blocking this person and/or reporting abuse
I have played with isolate API, auth and database servers from the internet. Which means there is no direct access from the browser to the API etc. You must contact the Web server and then forward the query to the "isolated safe box" by using internal IP-addresses.
This does not mean that encryption is unnecessary, but it adds an extra layer of security...