How to protect my app against abuse
I'm getting ready to release my app next week and I'm trying to make the final preparations. I have ip-based ratelimitting with upstash so users cant make more than 10 requests per 10s from the same IP. However, I'm a bit concerned about people who might abuse the app and drive up the costs on my serverless backends. My app runs tournaments and currently uses the following services:
- Google Cloud Firestore for maintaining the state of each tournament and pushing it to clients in realtime
- Google Cloud Storage for holding profile pictures and thumbnails for the tournaments
- Algolia for fuzzy searching of the tournaments
- Upstash for ratelimitting my API requests
- Vercel for hosting the app
- Vercel's next/image for caching images
My current list of questions are:
- What kind of general protections can I put in place to make sure users can't abuse my app. Right now I just have IP based ratelimitting?
- What to prevents someone from calling one of the functions to update a tournament over and over agains from a few different computers and driving up cost?
- How should I limit the the size of images being uploaded to the app for thumbnails / profile pictures?
- Should I be concerned about next/image caching costs?
1 Reply
On a kind of related note, does anyone have suggestions for how Terms and Conditions?