How to prevent misuse of a public REST API endpoint.

#discuss #php #slim #restapi

I have a REST API for CRUD operations on a database table, where inserting record does not require any authentication. The question is, how can I prevent that endpoint of my API from possible misuse, cause anyone can enter thousands of rows in a minute using a simple script.

I'm using Slim-PHP and JWT.

Thank You.

Top comments (7)

rhymes • Jul 20 '18

A few things:

monitoring, you need to know if and when people are abusing the API
if you don't require authentication, where does JWT fit in all of this?
look into rate limiting, you can rate limit based on the IP for example

Inam Ul Haq • Jul 20 '18 • Edited

Thanks for some good suggestions.

I'm using JWT token for updating, deleting, getting record. I also have a endpoint for login where I get that JWT token.

I can't use JWT for inserting, because thats where a user is being created for login.

Ryosuke • Jul 21 '18

You should create a separate, non-authenticated endpoint for login -- and a separate endpoint for inserting other types of data.

It might seem like you're repeating code or something, but it's just a necessity for security.

Inam Ul Haq • Jul 21 '18

Thanks for a great solution.

But still any hacker can misuse that login endpoint by inserting thousands of users in a minute, that is my real concern.

Ryosuke • Jul 21 '18

There are several others ways to prevent that.

Rate limits on API keys.
Rate limits on user registration
IP logging of users to DB + checking on registration for previous IPs
Re-captcha on the form
A honeypot (for physical forms) or CSRF (for both) to prevent brute force registration/authentication
Requiring email validation before account use

As long as any API is public there is a chance that it will be abused. It's all about reducing that chance.

The other option tends to be restricting registration -- which can hinder an apps adoption rate. Sometimes it's better to let spammers sneak in if it means real users don't get locked out.