Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How would I protect an API from abuse?

Hey everyone, I run an image hosting website and I'm designing an API for it. My concern is that I don't want anyone to be able to do something like:

while(true) { 
    Upload();
}

and spam/DoS the site.

My current solution is to limit all IP addresses to a certain amount of uploads per day/hour. I believe this will work fine for desktop applications that will use the API, but for websites that wish to use it, all the users will have the same IP (the server's).

I suppose the best solution would be to have user accounts that authenticate with the API, and then ban each account if they abuse it. The problem with this is that my site has no user accounts at all, it's all completely anonymous.

What else can be done? I would like to keep things as open as possible, while at the same time have the ability to ban users/IPs who are obviously abusing the service.

like image 631
Alan Avatar asked Sep 10 '09 01:09

Alan


1 Answers

If you don't want to implement user accounts, how about having those that want to use the api sign up for an api key/secret, which you can use to rate limit with.

like image 197
Olivieri Avatar answered Sep 30 '22 20:09

Olivieri