Suggestions for restricting certain REST API calls

We had a situation where a user initiated an ‘/api/Spaces-1/Variables’ REST API call without specifying an ID. The Octopus service on the node handling the request started consuming memory to the point where there was no free memory left. The service became unresponsive and ultimately had to be recycled.

We’re hoping to identify a way to restrict specific calls like ‘variables’ or ‘tasks’ in the platform (we could do it at the load balancer but doesn’t help with direct server calls. Any suggestions would be helpful.


Hi @ShannonN

Thanks for reaching out and the great question! Sadly there’s no easy way of doing this in-product, but one option you could employ here is using your load balancer/WAF to filter these endpoints by header fields in the request. Specifically, the X-Octopus-User-Agent field might work for you. A request coming from the Octopus web UI will have a value of OctopusClient-js/<version>, where <version> is your current Octopus version. You would likely want to wildcard this value to reduce the administrative overhead of updating this when you upgrade Octopus.

I hope this helps!

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.