I’m working on a simple web application that doesn’t have user authentication or registration. The backend API endpoints are open to everyone since there’s no login system.
I need to prevent spam requests, automated bots, and people who might try to call my API endpoints directly instead of using the frontend interface. The problem is that I’m running this as a side project and can’t pay for premium security solutions.
What are some budget-friendly methods you’ve used to add basic protection to an open API? Looking for straightforward approaches that don’t require enterprise-level tools.
Hit this exact problem with my project last year. Best combo I found: throttle requests at the server level and add CORS headers to block unwanted domains. Rate limiting’s easy - just use middleware that tracks IPs and timestamps. Most frameworks have lightweight libraries for this. Also validate requests for headers/parameters your frontend always sends but direct API calls usually don’t. Started logging weird traffic patterns too so I could catch abuse early. Zero cost except dev time, and it cut my server load by 70% in the first month.
ip whitelisting worked well for me too - i just blocked all those cloud host ips coz most bots come from aws and digital ocean. also, putting in some random delays or fake loading screens helps, real users usually don’t mind, but scrapers totally hate it. free and super effective!
Interesting challenge! Try adding a simple captcha to your forms. You can also check user-agent strings - real browsers send different headers than most bots. Are you seeing specific attack patterns or just being proactive? Knowing what kind of abuse you’re worried about would help.