How to fix Lack of Resources & Rate Limiting
in .NET 8 Web API
Executive Summary
Unbounded endpoints are a playground for resource exhaustion. Without rate limiting, an attacker can script thousands of concurrent requests to expensive endpoints (like search or bcrypt-heavy logins), effectively performing a Denial of Service (DoS) by pinning the CPU or saturating the database connection pool. In .NET 8, failing to use the native RateLimiting middleware is a critical security oversight.
The Vulnerable Pattern
[ApiController] [Route("api/[controller]")] public class DataController : ControllerBase { private readonly AppDbContext _db; public DataController(AppDbContext db) => _db = db;[HttpGet("search")] public async Task<IActionResult> Search(string query) { // VULNERABILITY: No rate limiting or request throttling. // An attacker can spam this heavy LINQ query to exhaust DB connections. var results = await _db.LargeTable .Where(x => x.Description.Contains(query)) .ToListAsync(); return Ok(results); }
}
The Secure Implementation
The secure implementation utilizes the Microsoft.AspNetCore.RateLimiting middleware introduced in .NET 7/8. We define a 'FixedWindowLimiter' policy named 'api-policy' that restricts users to 10 requests every 10 seconds. By setting QueueLimit to 0, we ensure that excess requests are immediately rejected with a 429 status code rather than being buffered in memory, which would further deplete server resources. The [EnableRateLimiting] attribute applies this protection specifically to the vulnerable endpoint, ensuring compute-heavy operations are shielded from automated abuse.
// Program.cs configuration using Microsoft.AspNetCore.RateLimiting; using System.Threading.RateLimiting;var builder = WebApplication.CreateBuilder(args);
builder.Services.AddRateLimiter(options => { options.RejectionStatusCode = StatusCodes.Status429TooManyRequests; options.AddFixedWindowLimiter(“api-policy”, opt => { opt.PermitLimit = 10; // Max 10 requests opt.Window = TimeSpan.FromSeconds(10); // Per 10 seconds opt.QueueProcessingOrder = QueueProcessingOrder.OldestFirst; opt.QueueLimit = 0; // Drop immediately if limit exceeded }); });
var app = builder.Build(); app.UseRateLimiter();
// Controller Implementation [ApiController] [Route(“api/[controller]”)] [EnableRateLimiting(“api-policy”)] public class DataController : ControllerBase { [HttpGet(“search”)] public async TaskSearch(string query) => Ok(await _db.LargeTable.Where(x => x.Name.Contains(query)).ToListAsync()); }
Your .NET 8 Web API API
might be exposed to Lack of Resources & Rate Limiting
74% of .NET 8 Web API apps fail this check. Hackers use automated scanners to find this specific flaw. Check your codebase before they do.
Free Tier • No Credit Card • Instant Report
Verified by Ghost Labs Security Team
This content is continuously validated by our automated security engine and reviewed by our research team. Ghost Labs analyzes over 500+ vulnerability patterns across 40+ frameworks to provide up-to-date remediation strategies.