API Request Limit Question

I was attacked last night on my front-end, which has a separate project/API key (under the same account) from the back-end. I’m still trying to piece together what happened, as I don’t see very much in my server logs. A high amount of requests, but not the nearly 700k eth_getBlockByNumber that Infura says I made.

Three questions:

  1. Does the rate limit span all “projects” under an account? - I ask because even though the attack happened via project A, my error logs connected to project B started spitting out rate limit errors
  2. What’s the recommended mitigation plan when one has a front-end with keys that are easily viewable, but necessary to facilitate web3 calls, to prevent someone from taking that key and just doing whatever they want with it? Route everything through your own back-end?
    2.b. I’ve since locked down the key with approved Contract Addresses, but the question remains: how do I stop someone from just spamming calls to my allowlist and putting me over the limit?
  3. Is it possible to get a breakdown on request protocol? http vs websocket?

Hi @EvilJordan! Hopefully, I can help with these questions:

  1. The rate limit is per project, not per account :slight_smile:
  2. If the legitimate calls are coming from a frontend website, you should check out the Origin allowlist in your dashboard. You can check out this blog post and the “Understanding Allowlist Behavior” section in our docs here.
  3. This and this blog post should give you the answers you need for this one!