Abuse Signals API — Prod checklist

Current version: v1 (signals-only contract).

Infrastructure

• 1 VM (2 vCPU / 4 GB RAM is enough)
• Nginx reverse-proxy → Kestrel
• HTTPS only

Security

• Firewall: open only 80/443
• Disable SSH password auth
• API key required (MariaDB)
• Rate limiting per API key (requests/minute) → HTTP 429 ({ "error": "rate_limit_exceeded" })
• Monthly quota per API key → HTTP 429 ({ "error": "quota_exceeded" })
• Disabled API key → HTTP 403 ({ "error": "api_key_disabled" })

API lock

• Only public endpoints: /abuse-signals, /usage
• Email or domain input (exactly one)
• No extra endpoints
• No dashboard

Cache

• Cache per domain (default TTL: 24h)
• WHOIS / ASN / DNS lookups cached (per domain evaluation)
• External source failure → explicit transparency signals (lookup_failed_dns, lookup_failed_asn, lookup_failed_rdap)

Logs

• Log only: timestamp, domain, abuseScore, plan
• No email content logging
• No client IP logging

Monitoring

• CPU/RAM, request count, 429 rate, 5xx rate

Rules

• Explain mode is optional (explain=1) and deterministic
• No per-customer tuning
• No refunds / no manual ops
• Do not expose signal thresholds or detection logic

Docs • Pricing