OWASP API security – 4: Lack of resources & rate limiting

APIs can suffer from performance, availability, and security issues when they face excessive requests due to lack of resources and inadequate rate limiting, as highlighted by OWASP. Without proper restrictions, APIs risk being overwhelmed by both legitimate and malicious requests, such as Denial of Service (DoS) attacks, which can render them unresponsive. To mitigate these issues, various strategies like execution timeout, payload size limitation, rate limiting, throttling, quotas, response caching, circuit breakers, IP restrictions, and complexity limiting can be employed, particularly through API Gateways. However, these measures might not suffice against Distributed Denial of Service (DDoS) attacks, which require specialized infrastructure and services like those offered by Cloudflare for effective handling. Tyk's API Gateway incorporates many of these protective functionalities, but it is recommended to leverage third-party services for robust defense against DoS attacks.