Api Rate Abuse in Chi with Mutual Tls
Api Rate Abuse in Chi with Mutual Tls — how this specific combination creates or exposes the vulnerability
Rate abuse in API security refers to excessive or automated use of an endpoint that overwhelms backend capacity, degrades service, or enables denial-of-service conditions. When an API is deployed in a Chi-based Elixir application with Mutual TLS (mTLS) enabled, the presence of TLS client certificate validation can alter how abuse is detected and mitigated, but it does not inherently prevent rate-based attacks.
In Chi, mTLS is typically enforced at the connection or plug level before requests reach your route handlers. This means the TLS layer validates the client certificate and establishes identity, but the rate-limiting logic still operates on HTTP requests that have already been accepted by the connection. If rate limiting is applied after mTLS verification, an attacker who presents a valid certificate can still generate a high volume of authenticated-looking requests, bypassing IP-based or network-level throttling that might otherwise block unauthenticated traffic.
Another dimension involves resource exhaustion. mTLS handshakes are computationally heavier than plain TLS, increasing CPU usage per connection. An attacker can exploit this by initiating many concurrent TLS handshakes with valid certificates, consuming worker processes or scheduler quota in the BEAM, which indirectly facilitates rate abuse by degrading system responsiveness. Even with valid client certificates, endpoints without explicit rate limits can be hammered, leading to elevated latency or timeouts for legitimate users.
Operational visibility is also affected. Standard logging and telemetry in Chi may show requests as authenticated once mTLS succeeds, making it harder to distinguish legitimate traffic from abusive patterns without additional instrumentation. Without correlating certificate subject information with request rates, operators might miss slow, low-volume abuse that avoids triggering simple threshold-based protections.
Finally, because mTLS ensures client identity, developers may assume stronger security and reduce other protections. However, rate abuse mechanisms must still be applied at the application layer in Chi using plugs like Guardian.Plug for authentication-backed rate limiting or custom plugs that track certificate fingerprints alongside request counts. Relying solely on mTLS for abuse prevention creates a false sense of security, as authenticated clients can still violate acceptable usage policies.
Mutual Tls-Specific Remediation in Chi — concrete code fixes
To address rate abuse in Chi while using Mutual TLS, you should combine mTLS enforcement with explicit rate-limiting logic that considers authenticated client identity. Below are concrete, syntactically correct examples demonstrating how to implement this in a Chi application.
1. Enforce Mutual TLS in a Chi pipeline
The following pipeline ensures that only clients with valid certificates are allowed to proceed. This setup uses Plug.SSL to require and verify client certificates, and then attaches the certificate subject to the connection assigns for downstream use.
defmodule MyAppWeb.Endpoint do
use Plug.Router
plug Plug.SSL,
certfile: "path/to/cert.pem",
keyfile: "path/to/key.pem",
verify: :verify_peer,
cacertfile: "path/to/ca.pem",
depth: 1,
customize_hostname_check: [match_fun: :public_key.pkix_verify_hostname_match_fun(:https)]
plug :assign_client_cert_info
plug Plug.Parsers, parsers: [:json]
plug Plug.Router
defp assign_client_cert_info(conn, _opts) do
if cert = conn.socket.ssl_cert do
# Extract subject or serial for identification and rate-key generation
subject = :public_key.pkix_decode_cert(cert, :otp) |> get_subject_field()
assign(conn, :client_cert_subject, subject)
else
# Reject if no client cert (should not happen due to verify: :verify_peer)
halt conn |> Plug.Conn.put_resp_header("content-type", "application/json") |> Plug.Conn.send_resp(403, Jason.encode!(%{error: "missing client certificate"}))
end
end
# Helper to extract subject fields (example stub)
defp get_subject_field(decoded) do
# Implement extraction of CN or O from decoded cert as needed
"example_subject"
end
end
2. Apply rate limiting keyed by client certificate identity
Use a rate-limiting plug that leverages the certificate subject assigned in the pipeline. This ensures each unique client certificate is tracked separately, preventing a single certificate from exhausting endpoint capacity.
defmodule MyAppWeb.RateLimit do
@max_requests 100
@interval 60_000 # 1 minute in milliseconds
def call(conn, _opts) do
subject = conn.assigns[:client_cert_subject]
key = {subject, conn.request_path}
case :ets.lookup(:rate_table, key) do
[{^key, count, last_ts}] when System.monotonic_time(:millisecond) - last_ts < @interval ->
if count > @max_requests do
halt conn |> Plug.Conn.put_resp_header("content-type", "application/json") |> Plug.Conn.send_resp(429, Jason.encode!(%{error: "rate limit exceeded"}))
else
:ets.insert(:rate_table, {key, count + 1, last_ts})
conn
end
_ ->
:ets.insert(:rate_table, {key, 1, System.monotonic_time(:millisecond)})
conn
end
end
end
3. Integrate into your Chi router
Add the rate-limiting plug after SSL and authentication steps in your route pipeline to enforce limits per authenticated client.
defmodule MyAppWeb.Router do
use ChiRouter
pipeline :api do
plug Plug.SSL,
certfile: "path/to/cert.pem",
keyfile: "path/to/key.pem",
verify: :verify_peer,
cacertfile: "path/to/ca.pem"
plug :assign_client_cert_info
plug MyAppWeb.RateLimit
plug Plug.Parsers, parsers: [:json]
end
get "/protected", ApiController, :index, []
end
4. Use ETS for in-memory rate tracking (setup)
Initialize an ETS table for rate tracking in your application start routine.
# In application.ex or a supervisor child
:ets.new(:rate_table, [:named_table, :public, :set])
These examples ensure that rate abuse is mitigated even when mTLS provides authenticated sessions. By tying rate limits to certificate identity and request paths, you reduce the risk of authenticated DoS or credential-free abuse.