0

I'm working in creating a FORM (kind of survey) to get user input, any user who visited the website can provide me information. This would means, the API is actually public accessible to anyone without any token or session (basically nothing)

I want to prevent people from getting my endpoint and create thousand/millions of requests (SPAM) to flood my service and database. I've tried to look over Stackoverflow and some post in medium, it's interesting that I don't find much about this.

Some said:

  • bundle my website as an hybrid app, supply accessToken to only "trusted device" for firing my api (but this is a pure webapp)
  • creating custom header and identify the header from my web server (hmm..?)
  • use CAPTCHA (this will only stop people spamming via the GUI, but spamming via script still possible)

Is this simply no better way to secure, since it's public? Any thoughts to share?

Tommy Leong
  • 2,509
  • 6
  • 30
  • 54

1 Answers1

0

have you read about Request Queue? it might help you solve the issue

source 1

source 2

Itay Daniel Zecharia
  • 21
  • 3
  • Hey Daniel, thanks for the information. By default API Gateway from AWS has throttling in placed.. hence I'm not actually keen to further enhance on this. What I concern more is, anyone who knows how to get your endpoint can simply POST and SPAM you. – Tommy Leong May 12 '20 at 06:46