Abuse Signals API — Prod checklist

Current version: v1 (signals-only contract).

Infrastructure

• 1 VM (2 vCPU / 4 GB RAM is enough)
• Nginx reverse-proxy → Kestrel
• HTTPS only

Security

• Firewall: open only 80/443
• Disable SSH password auth
• Rate limiting via API key quotas

API lock

• Only endpoint: /abuse-signals
• Email and/or domain input
• No extra endpoints
• No dashboard

Cache

• Cache per domain (default TTL: 24h)
• WHOIS / ASN / DNS lookups cached
• External source failure → silent partial signals

Logs

• Log only: timestamp, domain, abuseScore, plan
• No email content logging
• No client IP logging

Monitoring

• CPU/RAM, request count, 429 rate, 5xx rate

Rules

• No explanations for scores
• No per-customer tuning
• No refunds / no manual ops
• Do not expose signal thresholds or detection logic

Docs • Pricing