Hi community. I am planning to build my own product which would have the functionality exposed as a REST API for others to consume and I am looking to secure my API against DDoS.
I am thinking of creating the REST API in PHP but I can go with Firebase also for Serverless Architecture, if the cost is not going to be exorbitant in the long run and the Firebase Functions are secured automatically against DDoS.
Can anybody give me some pointers? Thanks.
Top comments (3)
@gauravchandra I believe you need to mention more details about the API, in order to determine what kind of security you need. For example, it the API will be public, then not only you will add authentication, you must also throttle excessive requests from valid users. Now this is something which can be handled by the webserver and not the API (nginx has very good support for request limiting and throttling). Of course there's more to it.
Thanks @vishalraj82 for your reply. Yes, there will be a public facing api and it will have authentication. I did not know about throttling at nginx level. I will have a look into it.
My main concern is that the reliability aspect of the api. I don't want to suffer downtime due to DDoS.
From a developers perspective, there's very limited scope of mitigating the DDOS attack. Its mostly handled by the IT team. As geneal information, there are hardware firewalls specially build to minimize such attacks. Web application firewalls are place in front of the application to control DDOS. For you, the best way to prevent such attacks on your API is to use services from Cloudflare or other similar providers.