Configure rate limiting rules to protect core API - Edge Security Acceleration

Protect your critical business APIs, such as login, registration, and payment endpoints, by configuring targeted rate limiting and custom WAF rules. These policies are essential for defending against automated attacks like credential stuffing, malicious scraping, and DDoS, ensuring the security and stability of your core services.

Why API protection is critical

Your business's most valuable functions and data are handled by APIs. This makes them a primary target for attackers seeking to commit fraud, steal data, or disrupt your services. Automated attacks like credential stuffing, SMS Pumping, and API abuse can lead to direct financial loss, data breaches, and service outages.

A dedicated API security strategy helps you solve these core issues:

Secure user accounts: Prevent account takeover resulting from credential stuffing and brute-force attacks.
Prevent financial loss: Stop attackers from abusing resource like intensive APIs including SMS, email, or coupons to drain your funds.
Ensure business stability: Protect core APIs from being overwhelmed by scrapers or denial-of-service attacks, ensuring service availability for legitimate users.
Protect sensitive data: Block large-scale, automated scraping of core business data, such as pricing, user information, or proprietary content.

Common attack scenarios

Login API: An attacker uses automated tools and a list of breached credentials to attempt thousands of logins per minute, trying to take over user accounts (Credential Stuffing).
SMS OTP API: An attacker repeatedly calls the one-time password endpoint, causing you to incur significant SMS costs and potentially harassing users (Toll Fraud / SMS Pumping).
Core data API: A competitor or malicious actor uses a script to scrape core product and pricing data at a high frequency, consuming server resources and stealing intellectual property.

Procedure

Configure rate limiting rules

Rate limiting rules are a key defense against automated API abuse. By limiting the number of requests a single client can make in a given period, you can mitigate attacks and prevent your backend services from being overwhelmed.

Note

Rate limiting rules are available on Pro plans and higher.

Defend against high-frequency API scraping

In the ESA console, choose Websites, find the website you want to manage and click Actions column's > WAF.
On the WAF page, go to the Rate Limiting Rules tab and click Create Rule.
Configure the rule with the following logic: If the same IP address calls the core API more than 100 times in 60 seconds, block subsequent requests from that IP for the remainder of the period.
- Rule Name: enter a name, such as Prevent API Abuse.
- If requests match...:
  Match field: URI Path
  Operator: is in
  Match value: the URL path of your target API
  Note
  A URI path is the part of a URL that locates a specific resource. It does not include the protocol, host, or parameters. For example, in the URL https://example.com/blog/posts/123?page=123, the URI path is /blog/posts/123.
  Select Case-insensitive and Apply to Cache.
- With the same characteristics...: Client IP
- When the rate exceeds...: 100 times per 60 seconds, or adjust this value as needed.
- Then execute...:
  Action: Select Block for Apply to Matched Requests
  Error Page: Default Error Page
Click OK to activate the rule.

Prevent brute-force attacks on login APIs

In the ESA console, choose Websites, find the website you want to manage and click Actions column's > WAF.
On the WAF page, go to the Rate Limiting Rules tab and click Create Rule.
Configure the rule with the following logic: If the same IP address calls a logon or registration API more than 20 times in 60 seconds, apply a JavaScript Challenge to all requests from that IP address for 5 minutes.
- Rule Name: enter a name, such as Logon and Registration API Rate Limiting.
- If requests match...:
  Match field: URI Path
  Operator: is in.
  Match value: the URL path of the core API.
  Note
  A URI path is the part of a URL that locates a specific resource. It does not include the protocol, host, or parameters. For example, in the URL https://example.com/blog/posts/123?page=123, the URI path is /blog/posts/123.
  Select Case-insensitive and Apply to Cache.
- With the same characteristics... : Client IP.
- When the rate exceeds...: set the limit to 20 times per 60 seconds, or adjust this value as needed.
- Then execute...:
  Action: JavaScript Challenge for Apply to All Requests.
  Dration: 5 minutes.
Click OK to activate the rule.

Configure a custom rule to block common scripts

You can create a custom rule to block requests from common HTTP clients and scripting libraries that are often used for malicious automation but are rarely used by legitimate web browsers.

In the ESA console, choose Websites, find the website you want to manage and click Actions column's > WAF.
On the Custom Rules tab, click Create Rule. Configure the rule to block requests where the User-Agent header contains common script identifiers:
Block requests if their Header contains a User-Agent field with any of the following values: python-requests, Scrapy, Go-http-client, Postman, curl, or wget.
- Rule Name: enter a name, such as Block Automated Script.
- If requests match...:
  Match field: Header.
  Header name: user-agent.
  Operator: is in.
  Match value: python-requests,Scrapy,Go-http-client,Postman,curl,wget.
  Select Case-insensitive
- Then execute...:
  Action: Block.
  Error Page: Default Error Page.
Click OK to activate the rule.