What are the best practices for protecting public REST APIs on Google App Engine and/or Kubernetes Engine from abuse? I intend to develop APIs that will be invoked from an Android App or a React Front End application.
I dont mind authorization via oauth2/google etc. Wondering how others are doing this... I would ideally like for some part of my website to be browse-able for non-registered/anonymous users and would not like to impose google sign-on or registration at the very first step.
I am starting with something that is more or less a small hobby project for now. Would not want to incur huge costs because of abuse of public APIs.
I did a fair bit of research but could not conclude on a way forward. Any pointers will be much appreciated.
To limit access, abuse, rate limits, quotas, (...) software proxy is the solution. Apigee is expensive and very powerful.
An open source solution exists: ESP Endpoint. You can deploy it on AppEngine or on Cloud Run and thanks to configuration you can protect some part of your application, make redirection/rewrite, set limit and quotas,... I think this is for you.