rate limiting | The Blog Pros

July 26, 2022

API Security Weekly: Issue 171

This week, we have news of multiple API flaws and vulnerabilities: the parcel tracking portal at DPD that may have exposed customer data, an API vulnerability in the Apache Pulsar that allowed access data in different tenants, and an SQL injection vulnerability in Casdoor API. On the more positive side, we take a look at the emerging trends in the API industry.

Vulnerability: DPD Parcel Tracking Flaw May Have Exposed Customer Data

The big news this week was the disclosure of a vulnerability in the parcel tracking portal of DPG Group, which may have exposed customer data.

September 28, 2021

API Throttling Strategies When Clients Exceed Their Limit

When a client reaches its API usage limits, API rejects the request by returning theHTTP 429 Too Many Requests error to the client. The client may retry after the retry period that is usually returned in a custom HTTP response header. This is an API throttling strategy commonly employed.

There are situations where API may depend on an external service provider that may have a fixed capacity. As this external dependency has a fixed capacity and cannot handle bursts in requests, we have to control the throughput of requests to meet the service level agreements of the dependency. In this article, we will explore two alternate strategies to throttle API usage to deal with this condition:

April 26, 2021

Edge Security Policy at Kubernetes Ingress Using Helm and Envoy

Introduction: EnRoute Helm Chart

Helm is a popular package manager choice for Kubernetes. Installation of software, managing versions, upgrading versions, and finding charts from the registry are key benefits of Helm.

EnRoute helm chart installs the EnRoute Ingress Controller and provides easy configuration options to define policy for a service. The helm chart provides fine-grained control to define L7 policies with its ability to enable/disable plugins for a service using configuration options that can be specified when the helm is invoked.

December 3, 2020

Understanding API Rate-Limiting Techniques in Zato

Enabling rate-limiting in Zato means that access to Zato-based APIs can be throttled per endpoint, user, or service — including options to make limits apply to specific IP addresses only — and if limits are exceeded within a selected period of time, the invocation will fail. Let's check how to use it all.

Where and When Limits Apply

July 8, 2020

Can your API Gateway Tango to Open API Spec?

Open API Spec — an API-First Approach

Enterprises today use an API first approach towards application development and sharing data. This API based approach is used under several scenarios like — breaking up a monolith into microservices, adopting cloud, and adopting Kubernetes.

APIs are also a popular choice to adopt Service Oriented Architectural approach. API also forms a key tenant to support data sharing and logic reuse. An API in an application can be compared to a function in the imperative programming paradigm.

April 16, 2020

Getting Started With Advanced Rate-Limiting on Enroute Universal Gateway Built on Envoy Proxy

Why Rate-Limit?

APIs drive the digital economy. They are fundamental to today’s commerce. Rate limiting of APIs is used to ensure availability and prevent abuse.

While ensuring high availability, APIs need to meet SLAs defined for users. To meet these SLAs, checks are necessary so that one user does not overwhelm the system.

March 5, 2020

Where Is My API Gateway?

Applications are changing and so is the infrastructure required to support these applications. Earlier, as applications were developed and deployed as monoliths, so was the network infrastructure around it. A monolith needed services from the perimeter proxy like security and monitoring. But as the monolithic application gets broken up into several smaller parts, the infrastructure to support it has to change.

At the center of this change is how the proxy has adapted to providing infrastructure for services which are smaller pieces of the monolithic application. The culmination of services has also created a service mesh pattern where typical application functions that were baked into an application (like traceability library integrated with application) have moved to the proxy.

February 14, 2020

Implementing DDoS With MuleSoft: Demonstration With Apache JMeter

DDoS (Distributed Denial Of Service)

A Distributed Denial-of-Service (DDoS) is any type of attack where the attackers attempt to prevent legitimate users from accessing the service. In a DDoS attack, the attacker usually sends excessive messages asking the network or server to authenticate requests that have invalid return addresses.

How to Prevent DDoS Attacks

There are different ways we can prevent DDoS attacks; we can do IP blacklisting to avoid traffic from sources of attack, rate limit your application to prevent it from being overwhelmed, or use both of them to provide multiple layers of security.