I was attacked last night on my front-end, which has a separate project/API key (under the same account) from the back-end. I’m still trying to piece together what happened, as I don’t see very much in my server logs. A high amount of requests, but not the nearly 700k eth_getBlockByNumber
that Infura says I made.
Three questions:
- Does the rate limit span all “projects” under an account? - I ask because even though the attack happened via project A, my error logs connected to project B started spitting out rate limit errors
- What’s the recommended mitigation plan when one has a front-end with keys that are easily viewable, but necessary to facilitate web3 calls, to prevent someone from taking that key and just doing whatever they want with it? Route everything through your own back-end?
2.b. I’ve since locked down the key with approved Contract Addresses, but the question remains: how do I stop someone from just spamming calls to my allowlist and putting me over the limit? - Is it possible to get a breakdown on request protocol? http vs websocket?