I have a REST API for CRUD operations on a database table, where inserting record does not require any authentication. The question is, how can I prevent that endpoint of my API from possible misuse, cause anyone can enter thousands of rows in a minute using a simple script.
I'm using Slim-PHP and JWT.
Thank You.
Top comments (7)
A few things:
Thanks for some good suggestions.
I'm using JWT token for updating, deleting, getting record. I also have a endpoint for login where I get that JWT token.
I can't use JWT for inserting, because thats where a user is being created for login.
You should create a separate, non-authenticated endpoint for login -- and a separate endpoint for inserting other types of data.
It might seem like you're repeating code or something, but it's just a necessity for security.
Thanks for a great solution.
But still any hacker can misuse that login endpoint by inserting thousands of users in a minute, that is my real concern.
There are several others ways to prevent that.
As long as any API is public there is a chance that it will be abused. It's all about reducing that chance.
The other option tends to be restricting registration -- which can hinder an apps adoption rate. Sometimes it's better to let spammers sneak in if it means real users don't get locked out.
Ryosuke provided some great solutions and of I'll implement those for sure.
Thank you very much :)
If you don't want to modify your code you could just slap Apigee or something on it.