Using Power Pages Web Application firewall to Rate limit Web API calls

In some scenarios where you have a custom Power Pages website that leverages the web API for specific pieces of functionality, you might want to add some rate limiting to it so users cannot overuse the API (for example by creating a script to abuse it and running it using chrome developer tools).

Enable Web Application Firewall

To enable WAF for your site you need to have CDN enabled. See steps below for more details:

Content Delivery Network – Microsoft Learn

Configure Web Application Firewall for Power Pages – Microsoft Learn

Create the rule

Once the WAF is enabled, you can create a rule as below. In this instance, we are rate-limiting web API calls to the contacts table only:

In this example above, we create a rule of Rate limit type, where we impose a limitation on calls made per minute. For demonstration purposes, we allow only 50 calls per minute (this can be too little for real-world scenarios).

To match the API endpoint we use the Request URI type and set it to be the path to the contacts table on the Web API (/_api/contacts).

Note: To rate limit any web API call, you can use the path /_api only instead.

Testing the Rate Limit

In a Power Pages page where you have added the Web API wrapper code, considering you have enabled the contacts table for the Web API, open browser developer tools (F12), go to the console tab:

Paste and run the following code (this will attempt to run 70 dummy web API calls in a loop):

var myUserId = window.Microsoft.Dynamic365.Portal.User.contactId;
for (var j = 0; j < 70; j++) {  
    webapi.safeAjax({
        type: "GET",
        url: `/_api/contacts(${myUserId})?$select=contactid,fullname,emailaddress1`,
        contentType: "application/json",
        headers: {
            "Prefer": "odata.include-annotations=*"
        },
        success: function (data, textStatus, xhr) {            
            console.log("success:")
            console.log(data);
        },
        error: function (xhr, textStatus, errorThrown) {
            console.log("error:")
            console.log(xhr);
        }
    });
}

Looking at the dev tools logs, we can see the initial calls get the success output, but from a certain point, they get throttled as expected:

Conclusion

The purpose of this post was to illustrate how you can leverage the Power Pages Web Application firewall and add custom rate limits to API calls. However, this needs to be carefully evaluated before a real-world implementation.

As Power Pages Web Application Firewall are based on Azure Web Application Firewall, we need to keep in mind that the rate limits are based on user’s IP address as in Azure, and normally, the IP address is the user’s, but it might also be a proxy server’s. Which means that, for multiple clients with different IP addresses accessing the Power Pages Web Application Firewall, individual rate limits apply. However, if multiple users share a proxy server’s IP address, the shared IP will have the rate limits applied collectively.

References

Content Delivery Network – Microsoft Learn

Configure Web Application Firewall for Power Pages – Microsoft Learn

Rate limiting policies – Microsoft Learn

Leave a Reply

Your email address will not be published. Required fields are marked *