How to Enforce a Quota on the CORS OPTIONS Method in Amazon API Gateway

Amazon API Gateway supports usage plans which contain quotas to limit the number of requests a user can make to your API in a given time period. Quotas work by inspecting the HTTP header carrying the API key in every incoming request. Quotas are enforced on a per-user basis, i.e., a quota of 100 per day will allow no more than 100 requests carrying a particular API key, per day.

But what about requests that do not or cannot support specifying API keys? API Gateway cannot enforce any quotas on them. One such request is the HTTP OPTIONS method used by browsers in preflight requests to determine the CORS status of API endpoints, before making the actual call to the API. CORS is essential to many APIs & OPTIONS is essential to CORS. As such, it’s important to limit OPTIONS calls too, so your API bill doesn’t go through the roof just because someone ran an OPTIONS-based DDoS on your API. This article describes a way to use WAF to limit OPTIONS calls.

Start by visiting https://console.aws.amazon.com/wafv2/homev2/web-acls & click “Create Web ACL”. Associate the web ACL with a stage of your API & proceed as shown below:

The rest of the web ACL creation is straight-forward. Finish creating it & the OPTIONS quota will go into effect immediately!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.