The API must audit rate-limiting events.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-274525 | SRG-APP-000095-API-001750 | SV-274525r1143929_rule | CCI-000130 | medium |
| Description | ||||
| The API must audit rate-limiting events to ensure security, system stability, and fair resource usage. Rate limiting is essential for protecting the API from abuse, such as denial-of-service (DoS) attacks, where an attacker could overwhelm the system with excessive requests. By auditing rate-limiting events, the API can track when users or services exceed predefined thresholds, providing insight into potentially malicious behavior or misuse. These logs help detect patterns of abuse, such as attempts to bypass rate limits or automate excessive requests, allowing for timely intervention. | ||||
| STIG | Date | |||
| Application Programming Interface (API) Security Requirements Guide | 2025-09-24 | |||
Related Frameworks
4 paths across 3 frameworks
Related Frameworks
NIST 800-531 mapping
AU-3
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
NIST 800-1712 mappings
3.3.1
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
3.3.2
1.00
- DISA · V1R1 · disa_xccdf · related
- DISA · 2025-01-23 · disa_cci_list · equivalent
- NIST · Rev 2 (Feb 2020, errata Jan 2021) · nist_800_171_app_d · equivalent
CCI1 mapping
CCI-000130
1.00
- DISA · V1R1 · disa_xccdf · related
Details
Check Text (C-274525r1143929_chk)
Verify the API audits rate-limiting events.
1. Access the API configuration to ensure rate limiting is enabled. Rate limiting will specify how many requests are allowed per time period (e.g., 1,000 requests per hour).
2. Verify rate-limiting events are configured to be logged. This includes events where a user exceeds their allowed request rate, triggering rate-limiting actions.
The API's audit or access log entries should:
- Indicate when a rate limit was exceeded.
- Include details about the API key or user who exceeded the limit.
- Provide the rate-limiting threshold (e.g., "rate limit exceeded: 1,000 requests per hour").
- Mention the specific API endpoint that was accessed.
3. Review the organization's security policies to ensure rate-limiting events are properly audited as per requirements.
If the API is not auditing rate limiting events, this is a finding.
Fix Text (F-78531r1142386_fix)
Build or configure the API Gateway to enforce rate limits and log these events, including the thresholds for triggering rate limiting.