Title

The API must enforce per-client rate limits. (Cat II impact)

Discussion

Configuring rate limits on API keys helps prevent abuse, mitigates denial-of-service attacks, and ensures fair usage of resources by restricting the number of requests an entity can make within a set timeframe.

Check Content

Review the API gateway, reverse proxy, or service configuration to confirm that rate limiting is implemented on a per-client basis. A "client" may be identified using API keys, OAuth tokens, IP addresses, or other unique identifiers. Verify that: - Each client has an independent rate limit (e.g., requests per second/minute/hour). - Limits are enforced consistently across API endpoints. - Clients exceeding the limit receive appropriate error responses (e.g., HTTP 429 Too Many Requests). - The rate limiting configuration aligns with organizational performance and security policies. Acceptable evidence may include Gateway/service configuration files or dashboards (e.g., AWS API Gateway, NGINX). API documentation defining rate limits per client. Logs showing enforcement of limits for individual clients. If the API does not enforce per-client rate limits, or if limits are global, improperly configured, or unenforced, this is a finding.

Fix Text

Build or configure per-client rate limiting on the API using a gateway, reverse proxy, or API management platform. Identify clients using unique identifiers (such as API keys, access tokens, or IP addresses) and configure rate limits to ensure fair usage and prevent abuse. Ensure that: - Each client has a defined threshold for request rates. - Limits are enforced dynamically. - Clients exceeding limits receive appropriate error responses. Update system documentation to reflect the implemented rate-limiting policy and enforcement mechanisms.

Additional Identifiers

Rule ID: SV-274682r1143925_rule

Vulnerability ID: V-274682

Group Title: SRG-APP-000400

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.