We're exposing a public API to the internet and expect both legitimate heavy users and malicious traffic. How would you protect it from abuse and attacks at scale without degrading service for real users?

system-design · Mid level · software-engineering

What the interviewer is really asking

Assesses layered, defense-in-depth thinking for a public API under hostile traffic — pushing protections to the edge (WAF, rate limiting, DDoS), strong authn/authz per client, and distinguishing abuse mitigation from blanket blocking that hurts real users.

What to say

What to avoid

Example answers

Strong: I'd defend in layers, starting at the edge. A WAF and DDoS protection in front of the API drops injection attempts and L7 floods, and edge rate-limiting (per IP and per API key) sheds volumetric abuse before it ever reaches my servers. Then every request authenticates — API keys or OAuth tokens scoped to least privilege — with per-key quotas so one client can't starve the rest, and I validate input against a schema to reject malformed or injection payloads. Crucially I'd separate abuse from heavy legit use: tiered limits per plan, a clean 429 with Retry-After rather than a hard ban, and per-client monitoring to spot scraping or credential stuffing without blanket-blocking shared IPs.

Weak: I'd put a rate limit on the API so no one can send too many requests, and block any IP that goes over the limit.

Want questions matched to your role? Paste a job title, job description, or CV and get a personalized set, or go Pro to unlock the full bank.