OWASP API security – 4: Lack of resources & rate limiting

APIs can face significant challenges related to resource constraints and rate limiting, particularly when overwhelmed by excessive requests, which can originate from both legitimate users and malicious actors such as those conducting Denial of Service (DoS) attacks. OWASP highlights this as a critical security issue, as a lack of proper rate limiting can render APIs unresponsive or unavailable. To mitigate these risks, API Gateways can employ various strategies, including execution timeouts, payload size restrictions, rate limiting, throttling, quotas, response caching, circuit breakers, IP restrictions, and complexity limiting, particularly for GraphQL APIs. However, these measures may be insufficient against Distributed Denial of Service (DDoS) attacks, for which specialized infrastructure and services like Cloudflare's DDoS mitigation are recommended. Tyk, as an API management product, supports several of these protective measures and emphasizes the importance of using third-party services for handling more severe threats such as DDoS attacks.