DEV Community

Discussion on: How to prevent misuse of a public REST API endpoint.

inambe profile image
Inam Ul Haq Author

Thanks for a great solution.

But still any hacker can misuse that login endpoint by inserting thousands of users in a minute, that is my real concern.

Thread Thread
whoisryosuke profile image
Ryosuke

There are several others ways to prevent that.

  • Rate limits on API keys.
  • Rate limits on user registration
  • IP logging of users to DB + checking on registration for previous IPs
  • Re-captcha on the form
  • A honeypot (for physical forms) or CSRF (for both) to prevent brute force registration/authentication
  • Requiring email validation before account use

As long as any API is public there is a chance that it will be abused. It's all about reducing that chance.

The other option tends to be restricting registration -- which can hinder an apps adoption rate. Sometimes it's better to let spammers sneak in if it means real users don't get locked out.