Limit Abuse with Rate Limiting

Learn how to protect your authentication endpoints against abuse.
Last updated on November 7, 2024
Security

Scenario: After setting up authentication in your application, you would like to protect it against brute force attacks and other forms of abuse. To do so, you add a rate limiting rule for preventing abuse on the registration and login endpoints.

  1. Select your project from the Vercel dashboard and select the Firewall tab

  2. From the top right corner of the Firewall page, click the Configure button and then + New Rule

  3. For the Name, enter "Auth Abuse Prevention"

  4. For the Description, enter "Limits requests to registration and login endpoints to prevent abuse and brute force attacks"

  5. In the Configure section, set up the following If condition:

    The Perl Compatible Regular Expression (PCRE) used is:

    • ^/api/auth/(?:register|signup|login|signin)$

    It can be broken down as follows:

    • ^/api/auth/: Matches the beginning of the request path, ensuring it starts with /api/auth/
    • (?:register|signup|login|signin): Matches either register, signup, login, or signin
    • $: Ensures the pattern matches to the end of the request path
  6. For the Then action, select Rate Limit

  7. Select Fixed Window for the limiting strategy with the following values:

    • 60s for the Time Window
    • 10 for the Request Limit
    • IP Address as the key for the request source match
  8. For the rate limiting Then action, choose Deny

  9. Select Save Rule

  10. Apply the changes:

    • When you make any change, you will see a Review Changes button appear or update on the top right with the number of changes requested
    • Select Review Changes and review the changes to be applied
    • Select Publish to apply the changes to your production deployment

This rule will apply to endpoints like /api/auth/register, /api/auth/signup and /api/auth/login, and will block any specific IP that tries to perform more than 10 requests in 60 seconds. This will prevent individual attackers from abusing these endpoints.

For distributed attacks, you can create a second rule with a similar configuration except for the following values:

  • 100 for the Request Limit
  • User agent as the key for the request source match

This will limit requests from specific types of clients.