Hey there, fellow developers!
I'm currently working on a project where I've run into an issue related to preventing excessive requests made from Postman via a server action triggered by a button on my frontend. The problem is that I can make more than 10,000 requests without encountering any errors. I've already tried implementing reCAPTCHA, but it's not very user-friendly from a UI perspective.
So, I'm looking for alternative methods to block excessive requests while keeping a user-friendly experience. If anyone has experience or suggestions in this area, I'd greatly appreciate your input.
Here's a bit more context on my project:
Frontend: I have a button that, when clicked, triggers a server action to perform a specific task. This task should be rate-limited to prevent abuse, but I want to ensure that it doesn't negatively impact the user experience.
Postman: I've noticed that I can easily send a large number of requests from Postman, and I want to prevent such abuse.
I've considered rate limiting or IP blocking, but I'm concerned about legitimate users being affected by these measures. I'm looking for a solution that can effectively distinguish between legitimate user requests and abusive ones.
If you have any insights, recommendations, or possible solutions, please share your thoughts. It's important to maintain a balance between security and user-friendliness, and I'd love to hear about any strategies or technologies that can help achieve this.
Thanks in advance for your help!
In this specific case, why would let end-users connect directly to the API? Why don't you put a broker in between like Azure API Management that can handle the rate-limiting for you?
And if you need to do this then I'm not sure how. You will need to store each request in the database to keep track of the number of connections per user so you can keep track of the rate. There is no in-memory database capability for this in OutSystems. So by implementing this you will put a lot of stress on the database server.
I would take this to support or your technical success manager and see if they have a solution for you.
Hi Carlos Junior,
I can understand your issue to an extent. Can you try to use a Button loader to prevent multiple hits in a certain period of delay. Please let us know if it helps.
Hi Jerome,
The thing is every button has a API POST request that's ignore frontend verify, so what im currently doing is from the server action im doing the verification and all the code I need to make sure is not a bot, you think there is another way of doing this?
You could try to implement a rate limiting using a circuit breaker, based on the userId or the IP address, When the user hits the threshold the circuit will be closed and you can throw an error to the user.
https://www.outsystems.com/blog/posts/circuit-breaker-pattern/
Thank you guys for the answer, I have been researching about circuit breaker and the solution Vincent made!Anytime soon I will update.