Forum Discussion
API endpoints brute force protection/rate limiting
Hello,
I would like to know how to protect API endpoints and if it's possible at all. Let's say that I want define some "brute force protection" for API endpoints but they are not login pages. There is no username/password. I will add some use cases below.
1. Specific API endpoint - /api/this_is_a_single_endpoint/do_something.
I want to define X requests for IP or user during X minutes and then block for X minutes
As workaround I can create virtual and positional parameters and "force" specific endpoint to be a login page. This works but it's not nice solution.
2. API endpoints with wildcard - /api/*
Let's say that I want achive same - X requests for IP or user during X minutes and then block for X minutes. Is there any way how to do it?
Hi JustJozef,
F5 has a couple of solutions for that:
- BIG-IP with APM module
- NGINX and NGINX Plus Rate Limiting as well as
- Secure Your API Gateway with NGINX App Protect WAF
- Distributed Cloud WAAP - Manage and Secure APIs
Since you came here, I guess that you are looking for the BIG-IP solution. Take a look at this video to get some idea how to start: F5 BIG IP - API Security v15 0
Is that the kind of information you were looking for?
KR
Daniel
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com