APIs security constraints

Hello,

Hope you are well. I want to deploy a self-hosted version of baserow.
I want to make sure of the security of the APIs.

  • I want to limit the number of APIs requests in a specific time window per IP?
  • How can I guarantee to prevent DDOS attack for the APIs?
  • Can I add authentication token with a dynamic expiration date?
  • What is the The maximum rows that can be fetched per request?

if that’s not applicable, Is there any SDK to use to generate my own APIs using Node JS or Python for example?

thanks

Hi @mmjazzar,

My apologies for the late response! You will find the answers to your questions below.

I want to limit the number of APIs requests in a specific time window per IP?

It’s currently not possible to limit API requests in Baserow directly. However, Baserow uses Django framework (https://www.djangoproject.com/) and Django REST Framework. Django REST framework offers throttling functionalities out of the box. More information can be found here: Throttling - Django REST framework. We use this in the hosted version of Baserow as well. The downside is that you do need to extend the base settings (backend/src/baserow/config/settings/base.py · develop · Bram Wiepjes / baserow · GitLab) and rebuild Baserow from scratch. You can’t use the existing pre-build images for that.

How can I guarantee to prevent DDOS attack for the APIs?

I don’t think anyone can prevent DDoS attacks. If the attacker has enough capacity, it will be block your server. However, there are service like Cloudflare DDoS protection (https://www.cloudflare.com/ddos/) that you could use.

Can I add authentication token with a dynamic expiration date?

It’s not possible to create a token (that has permissions) with an expiration date. Alternatively you could use the JWT authentication system to generate temporary tokens. Instead of providing a Authorization: Token XXXX header, you can then provide Authorization: JWT XXXX as header. These can be generated dynamically if you have the username and password of your account. A JWT token will automatically expire after an hour. More information can be found here: Baserow API spec.

What is the The maximum rows that can be fetched per request?

That’s 200 by default. The number can be changed via the BASEROW_ROW_PAGE_SIZE_LIMIT environment setting if you self host.

if that’s not applicable, Is there any SDK to use to generate my own APIs using Node JS or Python for example?

An SDK is not available, but because you have specific requirements regarding the API, you could consider setting up some sort of proxy service. This can be done by NGINX or some other services and you could route the API from there to Baserow. This will allow you to setup throttling and alternative authentication.

I hope that my answers were useful to you :slight_smile:

Best,
Bram

Hello, regards.
A question: What is the maximum number of rows that can be obtained per application in the HOSTED VERSION? Thanks a lot.