Appwrite comes packaged with tools to protect against various forms of abuse, like brute force attacks, data scraping, and many other common forms of abuse.
Rate limiting
Appwrite uses rate limits on some endpoints to avoid abuse or brute-force attacks against Appwrite's REST API. Each Appwrite route documentation has information about any rate limits that might apply to them.
Rate limits limit the number of requests a user or IP can make against an API within a period of time. Rate limits help protect against brute force attacks against authentication endpoints and other forms of API abuse like denial of service attacks.
Learn more about rate limits
Cross-origin resource sharing (CORS)
Appwrite limits who can make requests to Appwrite's APIs by default. This means that unless your app's domain is added to Appwrite as a platform, requests are rejected. By being explicit with the domains that are allowed to make requests to your Appwrite project, requests from JavaScript hosted on unknown domains will not be accepted.
You can add new platforms by navigating to Overview > Platforms > Add platform.
DDoS protection
Appwrite Cloud's infrastructure is protected with always-on DDoS protection. Appwrite's DDoS protection operates in Network (layer 3) and Transport (layer 4) layers. This protects Appwrite's infrastructure against volumetric attacks such as UDP floods, ICMP floods, TCP floods, and DNS reflection attacks, as well as protocol-layer attacks such as SYN floods, BGP attacks, and ping-of-death attacks.