API4:2023 - Unrestricted Resource Consumption

APIs can expose expensive queries, large payload handling, and CPU-intensive operations. Without limits and quotas, attackers or buggy clients can exhaust compute, memory, and database capacity.

• Service degradation and outage.
• Unexpected cloud cost spikes.
• Noisy-neighbor impact across tenants.

• Apply rate limits per user, IP, token, and tenant.
• Enforce payload, page size, and execution time limits.
• Use quotas, circuit breakers, and backpressure patterns.
• Track abusive patterns with alerting and automated mitigation.