DEV Community

Inam Ul Haq
Inam Ul Haq

Posted on • Updated on

How to prevent misuse of a public REST API endpoint.

I have a REST API for CRUD operations on a database table, where inserting record does not require any authentication. The question is, how can I prevent that endpoint of my API from possible misuse, cause anyone can enter thousands of rows in a minute using a simple script.

I'm using Slim-PHP and JWT.

Thank You.

Top comments (7)

Collapse
 
rhymes profile image
rhymes

A few things:

  • monitoring, you need to know if and when people are abusing the API
  • if you don't require authentication, where does JWT fit in all of this?
  • look into rate limiting, you can rate limit based on the IP for example
Collapse
 
inambe profile image
Inam Ul Haq • Edited

Thanks for some good suggestions.

I'm using JWT token for updating, deleting, getting record. I also have a endpoint for login where I get that JWT token.

I can't use JWT for inserting, because thats where a user is being created for login.

Collapse
 
whoisryosuke profile image
Ryosuke

You should create a separate, non-authenticated endpoint for login -- and a separate endpoint for inserting other types of data.

It might seem like you're repeating code or something, but it's just a necessity for security.

Thread Thread
 
inambe profile image
Inam Ul Haq

Thanks for a great solution.

But still any hacker can misuse that login endpoint by inserting thousands of users in a minute, that is my real concern.

Thread Thread
 
whoisryosuke profile image
Ryosuke

There are several others ways to prevent that.

  • Rate limits on API keys.
  • Rate limits on user registration
  • IP logging of users to DB + checking on registration for previous IPs
  • Re-captcha on the form
  • A honeypot (for physical forms) or CSRF (for both) to prevent brute force registration/authentication
  • Requiring email validation before account use

As long as any API is public there is a chance that it will be abused. It's all about reducing that chance.

The other option tends to be restricting registration -- which can hinder an apps adoption rate. Sometimes it's better to let spammers sneak in if it means real users don't get locked out.

 
inambe profile image
Inam Ul Haq

Ryosuke provided some great solutions and of I'll implement those for sure.

Thank you very much :)

Collapse
 
v6 profile image
πŸ¦„N BπŸ›‘

If you don't want to modify your code you could just slap Apigee or something on it.