-1

I have some simple websites (not Laravel applications) with forms where people can input there postalcode and housenumber where the street and city field automatically gets filled in with the associated information. To accomplish this I make an API call with a ajax request to my Laravel application which returns the associated street and city. My Laravel application then makes a call to a third-party api which costs me around € 0.01 per request.

No I want to avoid unwanted an unauthorized access to my Laravel api calls, because each call costs me money. Because at this moment it is very easy to replicate such calls and someone with bad intentions could make a script that could perform thousands of calls per minute.

So my questions is how I can prevent unwanted and unauthorized api calls. I already read about Sanctum and passport, but from what I read this applies only for authenticated users. And using a token in the request header seems unnecessary, because anybody with a little knowledge can trace the token and use it.

Note that the people who fill in the forms can be random people and don't have an account.

Maik Lowrey
  • 15,957
  • 6
  • 40
  • 79
The Stompiest
  • 318
  • 2
  • 15

1 Answers1

1

There are probably many approaches. A simple but effective one would be sessions. You can save the user in a session. This way you can also count his Api accesses. As soon as they are larger than allowed, you can block their requests. You also write the block in the session. But pay attention to the session duration. It must be long enough.

But the user with bad intentions can get a new session. To avoid this, you can also put his IP on an internal blacklist for a day.

Note: But an open api is always a point of attack.

Maik Lowrey
  • 15,957
  • 6
  • 40
  • 79