This is the best way to protect your APIs
Рет қаралды 96,288
Күн бұрын
@dealloc Жыл бұрын
Keep in mind that there's different levels of rate limiting. For APIs you should not rate limit based on IP, but rather based on the session or authorization token provided. App-level rate limiting does not protect you against DoS and IP only makes it easy for an malicious attacker to abuse your system. Additionally this may also have a negative side effect of blocking requests from devices that share the same external IP on the same network. Other forms of rate limiting and load balancing is best handled at the proxy (i.e. HAProxy, nginx, etc.) and better DNS level (e.g. Cloudflare). This is often handled by whatever provider you have.
@satpalsinghrathore2665 Жыл бұрын
Hey, I am building a chrome extension so api endpoint is exposed. I'd allow users to make request by passing api key in header. How can I prevent it from DDoS? Cloudflare has API Shield but for enterprises only. Can you suggest something?
@dealloc Жыл бұрын
@@satpalsinghrathore2665 Is it an actual concern you have now? Or is it just theoretical? If the former then Cloudflare is your answer. If the latter, don't sweat it until you gain enough traction. Premature optimizations is root of all evil.
@im1random263 Жыл бұрын
I think they both can be bypassed really easily as long a it doesn't cost money. For an atacker it does not make that big of a difference if he uses a lot of proxies or creates a lot of free accounts.
@Gamewithstyle Жыл бұрын
Lol I did a talk on web app pentesting and included a section on rate limiting. I included an example where (with permission) I took down the very popular jeopardy api that is free and open source. It was back up momentarily, but it really didn’t take much. Very good video, and important information.
@FunkyToe369 Жыл бұрын
Wow, a redis saas with a free tier? I didn't even really know they existed. I'll definitely check our upstash and try it in a project
@Tszyu01 Жыл бұрын
Great information. In larger companies we would usually use an api gateway like apigee, gloo, AWS api gateway or similar to manage access apis as well as bot protection, authentication, rate limiting, a/b testing. It’s interesting to see many channels/creators engineer solutions for nextjs and similar ssr frameworks rather than use dedicated backend apis. I can admit it’s easy for a small project to just use the backend capabilities of the ssr frameworks but I would encourage engineers on the quest for learning to also learn backend technologies as most companies would not yet host a production api as part of a nextjs or similar deployment.
@WebDevCody Жыл бұрын
you can still use upstash to limit requests regardless if you're doing a next api endpoint, or an express api endpoint, or a java api endpoint. I guess you're just saying coupling your api with your frontend (next) isn't the norm for some companies?
@Tszyu01 Жыл бұрын
@@WebDevCody upstash seems like a great option and your content is helpful, insightful and honest. I’m just saying in general at this moment in time, there is a huge push to put APIs into nextjs, nuxtjs, sveltekit, etc instances. An api to serve a small blog is vastly different than api to serve data for a Fortune 500 company. This is very new and pushed pretty heavily by vercel. Similar to a constant push to serverless and edge operations. I would never be able to justify edge computing at my company because of the long term cost. I think it will be important to at some point clarify when it makes sense to have an api as part of a ssr deployment vs when it should be a separate entity, scaled/developed/managed separately. Either way thank you for your content.
@bulelanibotman Жыл бұрын
wow! keep them tutorials coming, i love this
@HorstKirkPageKian Жыл бұрын
At 6:05 I noticed that the response time increased immensely from 16 ms to 454 ms. Also on later successful requests the response time was in the three digit region. Is this the cost of having a remote redis db instead of a local one, or is this because it's in another region like you mention towards the end of your video? Is there anything one can do about it to lower the response time again?
@WebDevCody Жыл бұрын
It might have been due to a cold start, I didn’t really investigate. That seems too high, so I’m thinking it is something else causing that slow down assuming the redis is in the same region as the api
@razdingz Жыл бұрын
what vscode theme is that ? pretty cool
@WebDevCody Жыл бұрын
Bearded theme stained blue
@razdingz Жыл бұрын
@@WebDevCody Thanks fren , i just checked it , out some nice themes , and the icons are pretty cool too
@kolya6955 Жыл бұрын
using IP alone is might not be a good idea. maybe also consider device ID, tokens etc.? I've also noticed this method in binance years ago they limit based on IP so no one on your network can spam
@Netryon Жыл бұрын
As somebody in NSA said this isn't a request and it takes some time until they let to get epic items for experiments. It is probably a daily credits use, so if you take more than a book from a bookshelf today nobody will let you search unless you are paying customer. Ninetails stash is safe if you are alone in the jump town. I think headers should be as they was onload and only content manipulated would be it's body, well unless you do a redirect. With big services they do all the restrictions, but you have to create it if you are an original rum shaker.
@WebDevCody Жыл бұрын
I have no clue what you just said
@Netryon Жыл бұрын
@@WebDevCody You work with it as you can. So he stood there by the fountain and entered the building.
@frydenland Жыл бұрын
@@Netryon What the hell is wrong with you.
@abdirahmann Жыл бұрын
@@Netryon What??!?! i have no idea what you are talking about!, are you referring to a book or sth?
@rwz Жыл бұрын
Nice and concise. One comment though for "paid" services using ips alone is not a good idea, adding the users api token prevents users with access to a lot of ips to rotate through and change the source-ips.
@WebDevCody Жыл бұрын
Right, at some point you’ll need to limit by user id and track requests that way. But if you have a free tier api which doesn’t request login, I’m not sure of any alternative approaches other than tracking ip (which has its own set of issues)
@alexandrepereira6522 Жыл бұрын
Good video as usual ! What is your extension to do queries inside VSCode?
@alexandrepereira6522 Жыл бұрын
Ok I should have waited a few more seconds. Got my answer thanks
@lethanhkiet8213 Жыл бұрын
what is your VS code theme ???
@wcatly Жыл бұрын
Can you make a tutorial for making secure api routes between server client
@zlackbiro Жыл бұрын
You can create a middleware and without redis ask is that ip is used 10 seconds ago. You can keep users ip in the memory or in the database.
@WebDevCody Жыл бұрын
You can’t use memory if your api endpoints are deployed to serverless. Each request might be its own instance which means the memory will be fresh each request. Yes, you could use a database, but a database is much slower than a redis instance.
@ahmedahmedx9600 Жыл бұрын
Hi cody, what font and theme do you use in vscode please ?
@DennisIvy Жыл бұрын
What VS code theme you using?
@WebDevCody Жыл бұрын
bearded theme - stained blue
@DennisIvy Жыл бұрын
@@WebDevCody Love it! Thanks man, it's hard to find a theme that goes with JS and Python syntax
@WebDevCody Жыл бұрын
@@DennisIvy are you coming back to yt yet? we miss you
@DennisIvy Жыл бұрын
@@WebDevCody I keep saying soon but it's hard to tell right now. Changing up a few things with my life soon.
@biltriq2332 Жыл бұрын
Coady great video u talked about bots briefly on a previous video.and how we should protect env file..please make a video on that
@RashidAli-oc1sr Ай бұрын
Bro I have one question,can I ask?
@Tony-dp1rl Жыл бұрын
Nice video, but in the real world you would never rate-limit based on IP. That doesn't work in a lot of scenarios.
@ayushkathariya Жыл бұрын
whic theme are you using in this video
@AndreSchmidt-mo1uu Жыл бұрын
Your videos are very good! Can you make a video for upstash Kafka?
@ameer6168 Жыл бұрын
how to determine the right amount of rate limiting ? if it's for site like unsplash
@WebDevCody Жыл бұрын
You need to figure out what your users need on average.
@FarisEdits Жыл бұрын
Great video ❤
@butwhothehellknows Жыл бұрын
Good job babe!!! First!! 👑
@butwhothehellknows Жыл бұрын
@@TebaremCoding lol yes, he is married to me :)
@veenallo Жыл бұрын
@@TebaremCoding 😂😂 you thought he is part of the "Im a programmer, i have no life". 😂 he has social skills no wonder his delivery is top tier.
@WebDevCody Жыл бұрын
Thank you beautiful!!
@dcm_r Жыл бұрын
@@butwhothehellknows aw is that true? You're so sweet haha.
@christian-schubert Жыл бұрын
Hey Tina 👋
@petermckeever2360 Жыл бұрын
Do you know if it's possible to blacklist with upstash? Looking to target some suspected scraping crawlers
@WebDevCody Жыл бұрын
You could add in long living ips into your cache if you wanted so they would always be blocked
@laptopuser5198 Жыл бұрын
Redis upstash is top tier.
@twd2 Жыл бұрын
can I use Express Rate Limit
@greendsnow Жыл бұрын
If only I could understand how their pricing scheme works... It says $0.2 per 100K commands ($0.4 for global). If I get a 100M DDOS attack, does it mean I'll be charged $200?
@greendsnow Жыл бұрын
How would I know they wouldn't plan such an attack on me. I have trust issues! I'd dockerize it on a 5 bucks; server, rate limit my backend and sleep tight at night.
@satpalsinghrathore2665 Жыл бұрын
@@greendsnow So that's using a server instead of serverless? This will still stop your service but won't cause you hefty charge, right?
@ImLunaHey Жыл бұрын
Yes. This is why something like pay per command hosted redis shouldnt be used for rate limiting.
@justhaithem9001 Жыл бұрын
great video... in google they use great technique of rate limiting. "exponential backoff" first the user starts with 2 s waiting time then if he requeated the api again the waiting time will increase to 4 then 8 ..16 ... 32... did you recognized the pattren? it's 2^n now your traffic will be more organized so if someone insisted 10 times he's gonna wait for 20 minutes if he invoked 30 times more he will wait until the end of the world💀. if you wanna implement this make sure to tell the user in front-end otherwise it's just bad UX
@gamemoves2415 Жыл бұрын
Thanks
@arthurvanleeuwen9650 Жыл бұрын
Bad example, u can just change the ip in the headers. Much better solution is, if it’s based on api keys.
@johnny_knl Жыл бұрын
Yo bro. you exposed ur own ip address at 7:33 .may be u may want to edit that out
@WebDevCody Жыл бұрын
That’s not my ip, I modified it in chrome dev tools 😉
@johnny_knl Жыл бұрын
@@WebDevCody oh nice. I didn’t know that
@HusamAlmaher Жыл бұрын
nice one keep it uo
@skillswitharif Жыл бұрын
great 😅
@ornelfranck Жыл бұрын
Nice
@alpachino468 Жыл бұрын
I wish you'd mentioned in the title that you're using Upstash, would have saved me a couple of wasted minutes...
@WebDevCody Жыл бұрын
Using a third party service will save you more than a few minutes of dev time
@kklowd Жыл бұрын
What is that thumbnail
@davidsiewert8649 Жыл бұрын
rate limiting by ip: -> is very bad for mobile users (they all share the same IP because of the heavy usage of CGNAT by mobile providers) -> you are basically discriminating against mobile users (and less financially secure users, who don't own a separate pc)
@RashidAli-oc1sr Ай бұрын
Are you on Instagram or email
Fabiosa Best Lifehacks
Рет қаралды 16 МЛН