Interview kitsBlog

Your dream job? Lets Git IT.
Interactive technical interview preparation platform designed for modern developers.

XGitHub

Platform

  • Categories

Resources

  • Blog
  • About the app
  • FAQ
  • Feedback

Legal

  • Privacy Policy
  • Terms of Service

© 2026 LetsGit.IT. All rights reserved.

LetsGit.IT/Categories/Security
Securitymedium

How do you protect a public API from abuse?

Tags
#rate-limiting#abuse#api
Back to categoryPractice quiz

Answer

Use authentication, rate limits, quotas, and abuse detection (IP reputation, anomaly detection). Add request validation, WAF rules, and backpressure, plus monitoring and alerting for spikes.

Advanced answer

Deep dive

A layered approach prevents abuse and reduces blast radius:

  • API keys or OAuth; per-tenant quotas and per-IP rate limits.
  • Validation and schema checks to reject malformed requests early.
  • WAF rules, bot detection, and IP reputation.
  • Backpressure and circuit breakers to protect downstreams.

Examples

Rate limiting headers:

X-RateLimit-Limit: 1000
X-RateLimit-Remaining: 42
X-RateLimit-Reset: 1710000000

Common pitfalls

  • Only global limits (one noisy tenant hurts all).
  • No observability: you see abuse after downtime.
  • Ignoring idempotency for retried requests.

Interview follow-ups

  • How do you set limits for paid vs free tiers?
  • How do you handle burst traffic from a good customer?
  • What metrics would you alert on?

Related questions

Testing
What is contract testing and when is it useful?
#contract-testing#api#microservices
Next.js
Route Handlers in the App Router: how do you define them and what are they used for?
#nextjs#route-handlers#api
Microservices
BFF (Backend for Frontend): what is it and when does it help?
#microservices#bff
#api
Microservices
Distributed rate limiting: why is it harder than a simple in-memory counter?
#microservices#rate-limiting#redis
Cloud
Rate limiting in the cloud: where can you enforce it and why?
#cloud#rate-limiting#waf
Microservices
If services can’t share a DB, how do they share data?
#contracts#events#api