---
title: Route uses expensive APIs without rate limiting
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Route uses expensive APIs without rate
  limiting
---

# Route uses expensive APIs without rate limiting
 
## Description{% #description %}

An exposed API makes use of third-party services paid for per request and does not implement any rate-limiting protection.

A malicious user could abuse this endpoint to incur significant costs, exceed your quota, and potentially disrupt your application.

## Rationale{% #rationale %}

This finding works by:

- Identifying an API that is processing traffic from the internet.
- It was detected using a third-party paid service as a part of its operations, [see the following list of services](https://docs.datadoghq.com/security/default_rules/appsec-expensive_apis.md#strategy) that fall in this category.
- There is no business logic rate limiting rule associated with this endpoint

## Remediation{% #remediation %}

- Set up rate-limiting using a [detection rule](https://docs.datadoghq.com/security/application_security/policies/custom_rules.md#business-logic-abuse-detection-rule) on this API
- Keep track of this sensitive business flow by [adding business logic information](https://docs.datadoghq.com/security/application_security/how-it-works/add-user-info.md?tab=set_user#adding-business-logic-information-login-success-login-failure-any-business-logic-to-traces) to the endpoint