API rate limiting

[franksc]

There should be a rate or connection limit for incoming API requests, to guard against:

• overenthusiastic or malicious clients spamming requests
• accepting more requests/workload than pool of API instances can reliably handle

[franksc]

This only limits the total number of connections at a point in time, rather than guarding against individual clients making too many connections. Rate limiting (n requests per second/minute) should be applied at the API instance level.

[franksc]

Adding nginx (port 80) in front of API service (move from port 80 to 8000) has allowed for simple per-origin rate limiting