The API must audit rate-limiting events.

STIG ID: SRG-APP-000095-API-001750  |  SRG: SRG-APP-000095 |  Severity: medium |  CCI: CCI-000130 |  Vulnerability Id: V-274525

Vulnerability Discussion

The API must audit rate-limiting events to ensure security, system stability, and fair resource usage. Rate limiting is essential for protecting the API from abuse, such as denial-of-service (DoS) attacks, where an attacker could overwhelm the system with excessive requests. By auditing rate-limiting events, the API can track when users or services exceed predefined thresholds, providing insight into potentially malicious behavior or misuse. These logs help detect patterns of abuse, such as attempts to bypass rate limits or automate excessive requests, allowing for timely intervention.

Check

Verify the API audits rate-limiting events.

1. Access the API configuration to ensure rate limiting is enabled. Rate limiting will specify how many requests are allowed per time period (e.g., 1,000 requests per hour).

2. Verify rate-limiting events are configured to be logged. This includes events where a user exceeds their allowed request rate, triggering rate-limiting actions.
The API's audit or access log entries should:
- Indicate when a rate limit was exceeded.
- Include details about the API key or user who exceeded the limit.
- Provide the rate-limiting threshold (e.g., "rate limit exceeded: 1,000 requests per hour").
- Mention the specific API endpoint that was accessed.

3. Review the organization's security policies to ensure rate-limiting events are properly audited as per requirements.

If the API is not auditing rate limiting events, this is a finding.

Fix

Build or configure the API Gateway to enforce rate limits and log these events, including the thresholds for triggering rate limiting.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.