https://www.eknix.com/tags/web-security/Recent content in Web Security on Eknix — Web security & performance for the enterpriseHugoen-us© {year} EKNIX LTD. All rights reserved.Tue, 26 May 2026 00:00:00 +0000https://www.eknix.com/blog/api-security-ecommerce/Tue, 26 May 2026 00:00:00 +0000https://www.eknix.com/blog/api-security-ecommerce/<p>Most ecommerce CTOs we talk to have a reasonable handle on their frontend security posture. WAF in place, DDoS protection sorted, bot management on the roadmap. The conversation gets uncomfortable when it turns to APIs.</p> <p>It&rsquo;s not that they&rsquo;re unaware. They know APIs need securing. The attack surface is just bigger than it looks, the tooling caught up later than it did on the web application side, and most API programmes have gaps nobody&rsquo;s had time to close. Then on top of that, AI shopping agents have started hitting ecommerce APIs in volume over the last year, and that has changed what &ldquo;normal&rdquo; traffic even means.</p>https://www.eknix.com/blog/bot-attacks-fintech/Tue, 19 May 2026 00:00:00 +0000https://www.eknix.com/blog/bot-attacks-fintech/<p>Bots now account for nearly half of all internet traffic. But not all bots are created equal — and the ones targeting your fintech platform aren&rsquo;t browsing. They&rsquo;re working.</p> <p>They&rsquo;re testing stolen card numbers against your payment API. They&rsquo;re taking over customer accounts. They&rsquo;re scraping your pricing data. They&rsquo;re stuffing credentials until one works. And while they do it, they&rsquo;re quietly draining your revenue, degrading your infrastructure performance, and eroding the trust your customers place in you.</p>https://www.eknix.com/blog/recaptcha-ddos-cost/Wed, 14 May 2025 00:00:00 +0000https://www.eknix.com/blog/recaptcha-ddos-cost/<p>There&rsquo;s a category of question that gets asked quietly in Slack channels and in private post-incident reviews: &ldquo;could we just use reCAPTCHA to handle this?&rdquo; It&rsquo;s not an unreasonable instinct. Google reCAPTCHA is already deployed on most sites, it can challenge suspicious traffic, and it costs nothing for the first ten thousand requests. As a lightweight speed bump, it has its place.</p> <p>But &ldquo;speed bump against DDoS traffic&rdquo; and &ldquo;speed bump against spam submissions&rdquo; are very different things — and running reCAPTCHA into a volumetric attack has a financial profile that most teams haven&rsquo;t priced out before they need to.</p>