Challenge which is not JS or CAPTCHA

I would to protect my API to which a user sends GET and POST HTTP requests by using the mobile application I developed.
The mobile application and the API don’t support JS and Cookies.
Is there a challenge other than a JS challenge or CAPTCHA I can use?

I am afraid there isnt. You could probably use Access, but then that wouldnt be a challenge

You could build authentication into your app using workers:

or use oauth:

or write come other workers specific implementation for your application to serve as either a challenge or key which your app will support.

1 Like

Is there another solution to protect APIs from abuse usage which is not an authentication solution?
I currently use rate limits, but I need other protection measures.

Other as in? If authentication and challenges are both not an option you are not left with much.

Cloudflare Bot Management is an option if you’re an Enterprise customer. You can also potentially use Bot Fight mode if connections to your app are from mobile devices as described, it’s unlikely a mobile device would connect from a Cloud Compute platform. You can also use Firewall rules to block requests which don’t match your API schema.

if captcha is an option for you, you can always use captcha in your app, and to everyone who pass it give 30 minutes tokens to access your api.

or another idea I got but you will need workers for this, test if the user actually used the app before accessing your api, so a bot wil goo directly into your api, while normal users will go through your app first, than mark them and allow them to pass.

your question is good because if you take the api part away you are still left with the same problem, how you protect your site from layer7 attack if you cant allow yourself to turn captcha on for all visitors? the sad answer is there no simple way, in the current state we need to fight each attack and block it manually, so the first step is to get logs(look into logflare or workers)

How about this one?

This topic was automatically closed after 30 days. New replies are no longer allowed.