IP Limitations for API access provide a false sense of securityAnswered
Is there any chance the web API IP limit can be removed or set to “infinite”? Currently trying to modernize my key generation tools but the IP limit is restricting me from running on any modern server stack that is considered “serverless” which has rotating IP's.
I have seen a couple other posts regarding this topic, and I have a few thoughts on the subject - please here me out.
Restricting by IP does not really add any additional security protocols. It's an arbitrary and archaic form of security, that fills a void left by customers who can't protect their own code from malicious intent. This option should opt-in, not required.
A user could easily create poorly written code and still make their API calls insecure at their own level. There is a false sense of security that running API calls from a couple IPs would actually protect malicious behavior.
API keys are where security come into play - no one can/or should be able to access any licensing information unless the proper API key is provided. This is standard practice. This makes blocking by IP redundant. Sure, API keys can be lost, but IP's can be spoofed all the same.
Serverless stacks are actually considered safer due to rotating IPs'; you have stated yourself that wyday uses this same type of stack for its own website.
Blocking by IP is restricting your customers from using modern technologies that would actually end up being more secure, convenient, and cheaper.
Please re-consider this restriction.
Thanks.
Serverless stacks are actually considered safer due to rotating IP's, you have stated yourself that wyday uses this same type of stack for its own website.
We don't use “serverless”. Why? Well, (a) because it's crazy expensive for what you get and (b) because it's more secure to have full control over our servers and the code that runs on it.
We do run “behind” a couple different DDoS services. But that just makes the “advertised” IP a handful from a pool. The outbound IPs are a couple per server.
Meaning, if we were a typical consumer of the LimeLM web API (i.e. if we weren't LimeLM, but a customer of LimeLM) we would be able to use it with plenty of room to spare.
Blocking by IP is restricting your customers from using modern technologies that would actually end up being more secure.
We already do use a variety of methods to secure your data and your customers' data. Most of it is behind the scenes. The API IP limiting is one of the few security methods that is visible to our customers.
Yes, it's effective (we have data on it). No, we're not changing it. We've already loosened it beyond it's original limitation of one IP per API key. Now you can have up to 3 IPs per API key.
This is what “taking security seriously” looks like. Doing “the thing” if it's proven to provide more security even if it's annoying for a handful of use-cases. Anyway, everything in that blog post announcing the change still stands.
Google your particular “serverless” company for how to do static outbound IPs. They all have a variation on it.