Api Rate Abuse in Phoenix with Mutual Tls

Rate abuse in Phoenix becomes more complex when Mutual TLS (mTLS) is enforced because both transport-layer identity and application-level rate controls must be considered together. mTLS verifies client certificates, which can establish strong identity, but it does not inherently enforce request-rate limits. An attacker who possesses a valid certificate (for example, a compromised client credential or a stolen certificate issued by a trusted CA) can still flood endpoints, exhausting server resources or triggering cascading failures. This is a BFLA/Privilege Escalation and Rate Limiting check in middleBrick: the scan tests whether rate controls are applied per identity and whether unauthenticated or weakly authenticated paths remain unprotected.

In a typical Phoenix setup using Plug.SSL and Guardian or similar libraries, mTLS is often implemented at the connection level (e.g., via Cowboy options) before requests reach your router. If rate limiting is applied only at the application layer (e.g., with Hammer or Con_cache) without tying limits to the certificate identity, a client can open many connections with different valid certs and still saturate the service. Conversely, if you rate-limit only by IP, an attacker behind a shared gateway or using certificate rotation can bypass controls. middleBrick’s 12 security checks run in parallel and will flag missing per-certificate rate enforcement as a finding under Rate Limiting and BFLA/Privilege Escalation.

Consider a Phoenix pipeline that authenticates via client cert and retrieves a principal, but the rate limiter is keyed only by IP. An attacker who rotates client certificates while keeping the same source IP can exceed thresholds. Even if you store certificate serial or subject in the rate key, you must ensure the limit is applied before expensive operations (e.g., JWT verification or DB calls). middleBrick tests these scenarios by probing endpoints with and without valid mTLS, checking whether responses differ in status, headers, or timing, and whether rate headers are present and consistent across authenticated contexts.

Data exposure can also be amplified under mTLS abuse: if rate-limited endpoints leak information via timing differences or error messages, an attacker can infer whether a certificate is accepted or rejected, aiding further exploitation. Ensure your pipeline returns consistent status codes and headers regardless of certificate validity, and enforce rate limits early in the connection pipeline. Use Plug-based rate limiting tied to a stable identity derived from the certificate, and validate that your OpenAPI/Swagger spec documents the security scheme so that middleBrick’s spec analysis can cross-reference runtime behavior.

To secure Phoenix with mTLS and prevent rate abuse, tie rate limits to the certificate identity and enforce limits before routing or business logic. Below are concrete, realistic code examples.

First, configure Cowboy to request client certificates and validate them in your endpoint module:

defmodule MyApp.Endpoint do
  use Phoenix.Endpoint, otp_app: :my_app

  # Ensure Cowboy opts include client verification
  def init(_type, config) do
    {:ok,
     Keyword.merge(config, [
       cipher_suite: :strong,
       certfile: "path/to/server.pem",
       keyfile: "path/to/server.key",
       cacertfile: "path/to/ca.pem",
       verify: :verify_peer,
       fail_if_no_peer_cert: true
     ])}
  end
end

Next, extract a stable identity from the client certificate in a plug and use it for rate limiting. For example, using the subject’s common name or a serial:

defmodule MyApp.MtlsIdentityPlug do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    case conn.status do
      # If the cert was verified by Cowboy, the peer cert is available
      _ when conn.private[:ssl_peer_cert] ->
        cert = conn.private[:ssl_peer_cert]
        identity = extract_identity(cert)
        # Store identity for downstream plugs and rate limiter
        assign(conn, :mtls_identity, identity)
      _ ->
        # No client cert — keep as unauthenticated for separate handling
        conn
    end
  end

  defp extract_identity(cert) do
    {:OTPTLSCredentials, _, _, _, _, subject} = :public_key.pkix_path_validation(cert, [])
    # Simplified; in practice, parse subject or serial properly
    subject
  end
end

Now implement a per-identity rate limiter. Using the :hammer library with a GenServer backend, key by the certificate identity:

defmodule MyApp.RateLimit do
  @limit 30
  @period 60_000

  def check_and_record(identity) do
    case Hammer.check_rate({"mtls_rate", identity}, @period, @limit) do
      {:allow, _} -> :ok
      {:deny, _} -> :error
    end
  end
end

defmodule MyApp.RateLimitPlug do
  import Plug.Conn

  def init(opts), do: opts

  def call(conn, _opts) do
    identity = conn.assigns[:mtls_identity] || conn.remote_ip |> to_string()
    case MyApp.RateLimit.check_and_record(identity) do
      :ok -> conn
      :error -> conn |> send_resp(429, "Too Many Requests") |> halt()
    end
  end
end

Insert these plugs early in your pipeline, before any expensive work, and ensure they run for all relevant routes. Combine with standard security headers and consistent error responses to avoid leaking certificate validity information. middleBrick’s GitHub Action can validate that your CI pipeline fails if a build introduces a regression in rate-limiting behavior, while the CLI can be run locally with middlebrick scan <url> to confirm per-identity enforcement. For teams using the Pro plan, continuous monitoring will alert you if rate patterns deviate, and the MCP Server lets you scan APIs directly from your IDE during development.