scottklement.com

I’m making a site similar to a file conversion site. I want it to be open and public, aka no logins necessary. I figured a aws http api could be good for this because it’s cheaper and doesn’t need advanced features that a REST api has. But I’m concerned about someone directly calling my api outside the browser and spamming it for example. How would you protect your api from this? Ideally I’d like it to only be callable from my front end but maybe this isn’t possible. Otherwise maybe rate limit based on IP address? I’ve only ever built private websites so all these considerations for a public facing website are new to me. Any help is appreciated! Thanks.

huntrashmi wrote: ↑Fri Jul 12, 2024 2:33 am I’m making a site similar to a file conversion site. I want it to be open and public, aka no logins necessary. I figured a aws http api could be good for this because it’s cheaper and doesn’t need advanced features that a REST api has.

This site is for a specific software package called "HTTPAPI" that allows RPG programmers for the IBM i operating system to make HTTP calls from their programs.

You seem to have assumed that it was for a general-purpose discussion of APIs that use HTTP protocol. It is not.

Though, I'm very curious as to what, in your mind, is the distinction between an "HTTP API" and a "REST API". REST is an architectural style that really has nothing to do with what features it has.

huntrashmi wrote: ↑Fri Jul 12, 2024 2:33 am But I’m concerned about someone directly calling my api outside the browser and spamming it for example. How would you protect your api from this? Ideally I’d like it to only be callable from my front end but maybe this isn’t possible. Otherwise maybe rate limit based on IP address? I’ve only ever built private websites so all these considerations for a public facing website are new to me. Any help is appreciated! Thanks.

Rate limiting isn't a bad idea. You could also require TLS with a client-side certificate, and limit how quickly you respond to failed certificate attempts -- this way valid access attempts aren't penalized. Or use something like OAUTH logins and allow a separate login provider (such as when people login with their Google account, or Facebook account, etc). Block and/or limit logins that aren't authenticated in that way.