How to Protect Your Public API from Bots: Simple and Effective Techniques
Introduction
When your API is public, anyone can access it — including bots. One of the most common issues developers face is bots sending too many login requests, trying to break into accounts or overload the server.
If you don’t protect your API, this can cause crashes, slow performance, and even security risks.
This blog explains simple and effective ways to protect your login API from bots and automated abuse.
1. Rate Limiting
What It Does
Rate limiting controls how many requests a user or IP can make in a certain time. This stops bots from sending hundreds of login attempts quickly.
How to Use It
Apply strict rate limits on the /login route.
const rateLimit = require("express-rate-limit");
const loginLimiter = rateLimit({
windowMs: 5 * 60 * 1000, // 5 minutes
max: 10, // Only 10 login attempts allowed
message: "Too many login attempts. Try again later."
});
app.post("/login", loginLimiter, loginController);
Tips
- Keep login route limits strict.
- Use Redis for rate limiting in distributed systems.
2. IP Blocking and Throttling
Why It Helps
Some IPs make too many bad requests. Blocking them or slowing them down reduces bot traffic quickly.
How to Implement
const blockedIPs = new Set([
"192.168.1.10",
"203.0.113.42"
]);
app.use((req, res, next) => {
if (blockedIPs.has(req.ip)) {
return res.status(403).send("Access denied");
}
next();
});
Tips
- Store blocked IPs in Redis.
- Use Cloudflare or AWS WAF to block bots at the edge level.
3. Add CAPTCHA
Why It Works
Bots cannot solve CAPTCHAs (most of the time), so it adds an extra layer of protection.
When to Show CAPTCHA
- After 3–5 failed login attempts
- When the system detects suspicious activity
Good Options
- Google reCAPTCHA v3
- hCaptcha
- Cloudflare Turnstile
4. Detect Suspicious Behavior
What to Check
Bots often have unusual patterns like:
- Strange or empty User-Agent
- Very fast repeated requests
- No cookies
- Odd languages or headers
If something looks suspicious, you can block or challenge the request.
Tip
Give each request a risk score. If it’s too risky, require CAPTCHA.
5. Slow Down Bots with Delayed Responses
Why It Helps
Bots depend on speed. If your server responds slowly during repeated failures, bots become ineffective.
Example
if (failedAttempts[ip] > 5) {
await new Promise(r => setTimeout(r, 1500));
}
Tip
Delay only for suspicious users, not everyone.
6. Use a Web Application Firewall (WAF)
Why Use a WAF?
A WAF protects your API before the request reaches your backend. It blocks bots, DDoS traffic, and bad IPs automatically.
Best Choices
- Cloudflare WAF
- AWS WAF
- Fastly Security
Tip
Enable bot protection modes for better filtering.
7. Passwordless Login
What It Means
Instead of a password, users log in using:
- OTP
- Magic link
- Passkeys (WebAuthn)
Why It Helps
Bots cannot brute-force accounts if there is no password.
8. Monitor Everything
Why Monitoring Matters
You need to know what’s happening on your API to act quickly.
Track These
- Login attempts per IP
- Number of failed attempts
- Traffic spikes
- Strange request patterns
Best Tools
- Grafana
- ELK Stack
- Datadog
9. Use Short-Lived JWT Tokens
Why
If an attacker gets a token, short expiry reduces the damage.
Best Practice
- Access token: 10–15 minutes
- Refresh token: 7–30 days
Conclusion
If your public API is getting attacked by bots, don’t worry — it’s a common problem. The best solution is a layered approach, where multiple techniques work together.
To protect your login API:
- Use rate limiting
- Block bad IPs
- Add CAPTCHA
- Detect suspicious activity
- Use a WAF
- Monitor traffic
- Use safer login methods
By applying these steps, your API becomes much safer and more reliable.
Happy coding and stay secure! 🔐🚀