STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
STIGs updated 2 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Application Programming Interface (API) Security Requirements Guide

V-274526

CAT II (Medium)

The API Gateway must audit rate limiting events.

Rule ID

SV-274526r1143552_rule

STIG

Application Programming Interface (API) Security Requirements Guide

Version

V1R1

CCIs

CCI-000130

Discussion

The API Gateway must audit rate-limiting events to ensure robust security, performance, and compliance across all APIs it manages. Rate-limiting is a critical mechanism to protect APIs from abuse, such as denial-of-service (DoS) attacks or excessive resource consumption by malicious users. By auditing these events, the gateway can track and log instances where rate limits are exceeded, providing valuable insights into abnormal traffic patterns or attempts to bypass limits. This helps identify potential threats early, allowing for timely interventions. Additionally, auditing rate-limiting events allows for detailed logging and reporting, which are essential for troubleshooting, performance monitoring, and ensuring fair usage of API resources.

Check Content

If an API Gateway is not in use, this is Not Applicable.

1. Access the API Gateway's configuration to verify rate limiting is enabled. Rate limiting will specify how many requests are allowed per time period (e.g., 1000 requests per hour).

2. Verify rate-limiting events are configured to be logged. This includes events where a user exceeds their allowed request rate, triggering rate-limiting actions.

3. After triggering rate-limiting events, check the API's audit or access logs. Entries should:
- Indicate when a rate limit was exceeded.
- Include details about the API key or user who exceeded the limit.
- Provide the rate-limiting threshold (e.g., "rate limit exceeded: 1000 requests per hour").
- Mention the specific API endpoint that was accessed.

4. Test the API to verify it behaves correctly when a rate limit is exceeded. For example, the API should return an appropriate status code (e.g., HTTP 429 Too Many Requests).

5. Check the API Gateway logs to determine if the gateway logs rate-limiting events properly, including identifying when the threshold is exceeded and what actions are taken (e.g., temporary block).

6. Review the organization's security policies to ensure rate-limiting events are properly audited as per requirements.

If the API Gateway is not auditing rate limiting events, this is a finding.

Fix Text

Build or configure the API Gateway to enforce rate limits and log these events, including the thresholds for triggering rate limiting.