API endpoints brute force protection/rate limiting

Question

Hello,I would like to know how to protect API endpoints and if it's possible at all. Let's say that I want define some "brute force protection" for API endpoints but they are not login pages. There is no username/password. I will add some use cases below.1. Specific API endpoint - /api/this_is_a_single_endpoint/do_something.I want to define X requests for IP or user during X minutes and then block for X minutesAs workaround I can create virtual and positional parameters and "force" specific endpoint to be a login page. This works but it's not nice solution.2. API endpoints with wildcard - /api/*Let's say that I want achive same -&nbsp;X requests for IP or user during X minutes and then block for X minutes. Is there any way how to do it?

daniel_wolf · Answer

Hi&nbsp;JustJozef,
F5 has a couple of solutions for that:

BIG-IP with APM module&nbsp;
NGINX and NGINX Plus Rate Limiting&nbsp;as well as
Secure Your API Gateway with NGINX App Protect WAF&nbsp;
Distributed Cloud WAAP - Manage and Secure APIs&nbsp;

Since you came here, I guess that you are looking for the BIG-IP solution. Take a look at this video to get some idea how to start:&nbsp;F5 BIG IP - API Security v15 0&nbsp;
Is that the kind of information you were looking for?
&nbsp;
KRDaniel

Forum Discussion

API endpoints brute force protection/rate limiting

1 Reply

F5 Academy at AppWorld 2026

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

How can I get started with iCall

Connection Rest f5

Kubernetes cert-manager + LetsEncrypt + F5

The GSLB pool is providing an incorrect IP to end users

Unable to ping from some self ip on Velos

Related Content

Apache Airflow Unsafe API Endpoint

List of F5 iControl REST API Endpoints

Cisco ACI Endpoint Learning with a BIG-IP HA Failover

JSON Web Key Set Endpoint

Using VPC Endpoints with Cloud Failover Extension

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS