Securing APIs to Ensure Availability - Best Practices and Strategies

Protecting API Availability

Question

Clients are unable to access a company's API to obtain pricing data.

An analyst discovers sources other than clients are scraping the API for data, which is causing the servers to exceed available resources.

Which of the following would be BEST to protect the availability of the APIs?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D.

D.

The scenario described in the question implies that the company's API is experiencing a Denial of Service (DoS) attack caused by excessive requests made by automated scrapers. The goal is to protect the availability of the API and ensure that legitimate clients can access the service without interruption.

A. IP whitelisting is a security measure that allows access to a network or service based on pre-approved IP addresses. However, it is not effective in this scenario since the attacker is using a large number of IP addresses, and blocking them all would be impractical.

B. Certificate-based authentication is a method of verifying the identity of a client or server using digital certificates. While it can help to authenticate legitimate clients, it does not prevent automated scrapers from accessing the API since they can also use digital certificates.

C. A virtual private network ( VPN) creates a secure tunnel between the client and the service, which can help protect against attacks such as man-in-the-middle (MITM) and eavesdropping. However, it may not be effective against automated scrapers since they can also establish VPN connections and continue to make requests.

D. A web application firewall (WAF) is designed to protect web applications by filtering and blocking malicious traffic. It can detect and block automated scrapers by using techniques such as rate limiting, behavioral analysis, and fingerprinting. Therefore, the best option to protect the availability of the APIs in this scenario is to deploy a WAF.

In conclusion, the best option to protect the availability of the APIs in this scenario is to deploy a web application firewall (WAF), which can detect and block automated scrapers using a variety of techniques.