Just wanted to learn what steps should be taken to prevent API from abuse...
Depending on the use case you could:
- Require authentication (token per user)
- Limit rate of access (x hits per y time)
- Limit access by IP
- Limit size of transactions
- Limit size of response per time period
- Ask people to be nice
think in terms of encapsulation and scope, restricting access to certain elements and components of the API. for example, ur API might have internal variables that are used across wide variety of internal classes; however, if the developer meddles with an important variable that might offset your entire data set in your API then you definitely want to restrict access to it, one way (as part of the example) is using class extending or perhaps passing the variable as needed and using local declaration instead of global. also, if you are using C++ using header files is a good way to limit exposure of an API.
Overall, such technique are somewhat language specific, i would recommend reading up on scope in concept and scope specific to the language you are intending to use.
PS: there are also various scope keywords for methods as well, such as protected and etc.
i hope this helps...
{edit} just noticed the PHP tag, i think a good way of doing API encapsulation is restricting access through POST/GET web operations for web applications, and validating input from such queries...
Just googled out http://blog.programmableweb.com/2007/04/02/12-ways-to-limit-an-api/
@stillstanding, we, humble strangers, cannot either comment or delete anything on this site. You must be aware of the limits...
- API keys for developers, make sure the API isn't totally open so that anyone can make requests.
- Session tracking for users, like @vsz said. Make sure each user gets a unique generated token and refresh it every now and then. Personally I use a sha256 hash of random data to generate a user token.
- Depending on who is going to be using your API it might be good to reference any sort of inputs/updates in your database to a specific API key, that way if some developer has a valid API key but either they are programming malicious code or someone found an exploit you can always go back and remove any malicious data, spam, or whatever.
maybe if you gave more details on what the API is meant to do we could give better answers
It all depends on the exact nature of the API. (How valuable is the resource that the API allows access to? What type of abuse are you worried about? Etc.) Some typical things include:
- Throttle access to your API (e.g. calls per second), e.g. to prevent excessive server load
- Limit the amount of data that can be obtained from the API (e.g. data records per month), e.g. to prevent people from stealing your data
- Require users to register prior to using the API, and possibly have them verify their email or even phone number to ensure you actually know their identity
- Require users to accept a license agreement prior to using the API
- Restrict certain parts of the API to only certain customers
- Charge money for access to the API (e.g. when people exceed the quota, or want special licensing terms)
Consider using an external service to do all this. My company, WebServius ( http://www.webservius.com ) is one example, and there are others too.