I'm writing a rest api which doesn't require any authentication. How can I restrict a browser for a particular number of requests in a day. Also how can I differentiate whether call is from browser or called through program
For your first question, look into a rate limiter such as this github.com/jhurliman/node-rate-limiter - there are more..
Second question - get access to the user-agent on the incoming request. A lib like this will help: github.com/biggora/express-useragent
I don't know if I'm supposing too much, but maybe that "rate-limit" logic can be set on the load balancer (if you use any of them on your setup), so you don't actually need to add specific logic to your Node.js server and complicate things.
Some links:
Edit: I did not see the node tag there. So I will remove part of my answer in php. Sorry!
If you want to identify if the call is from js:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36
You can use 1 or all of the above points and combine it with the host name if you want. These are some points that came to my mind and I am sure there is many many more.
BUT, if you are not really offering some secure information (about people's identities) please let people scrape your website as they want. Because internet is a free environment. A tech savvy person can circumvent almost 99% of the measures taken. And DDoS is really really difficult to prevent after all.
TheSheriff
Co-Founder, Founder, Entrepreneur & Problem Solver
Can you elaborate a bit more on your second question? Call? As in webRTC?
The first part you could set a cookie/something in storage to check, or you can keep a DB of IP addresses and check/update requests per IP.
Both aren't a great solution as they can easily be navigated around, so I would suggest requiring users to be logged in so you have associated accounts with requests.