​​API Security - Lack of Resources & Rate Limiting Vulnerability

According to the Open Web Application Security Project (OWASP), there are ten API vulnerabilities that should be taken care of when you build an API. In this guide, let’s look at the Lack of Resources & Rate Limiting vulnerability.

Lack of Resources & Rate Limiting

When the API does not limit the number or frequency of requests from a particular API client, the client can make many API calls per second or request hundreds or thousands of data records at once. In this scenario, the server will still try to fulfill these requests. This causes lack of resources and rate limiting issues.

This vulnerability allows attackers to launch DoS attacks and can overall affect the API server’s performance.

When the server receives too many requests at a time, this hampers its ability to process requests and make the service slow or not available for other users. Lack of rate limiting can also lead to removing sensitive data faster if an API endpoint is leaking information by the attackers.

How To Prevent It?

You can prevent lack of resources and rate limiting in multiple ways.

• To make sure that lack of resources and rate limiting issues does not take place, you should make sure that the client can only make a certain amount of requests over a certain period. This will limit the number of requests from affecting the API server’s performance.
• You should verify on the client and server side that the request body and response are not too big. This will in return help save from the issue.
• Further adding checks on compression ratios will also prevent it from occurring.