Our great sponsors
-
WorkOS
The modern identity platform for B2B SaaS. The APIs are flexible and easy-to-use, supporting authentication, user identity, and complex enterprise features like SSO and SCIM provisioning.
However, if you're serving a public resource, authorization isn't going to help restrict requests. If you're concerned about Denial of Service attacks, and aren't relying on infrastructure upstream of you to manage those, you'd focus your mitigations in Step 2. For example, you could use something like https://github.com/vladimir-bukhtoyarov/bucket4j to create rate-limited buckets on IP addresses or ranges.
If you're worried about performance then put a cache in front of your server (such as https://varnish-cache.org/), and focus on providing validators in your representation metadata (etag, last-modified) to improve cache hits. This is going to give you much more improvement than tinkering with the ordering of these steps.