GCP API Gateway - Hide project details in response message "quota exceeded"

Question

When a configured quota is exceeded, the API Gateway responds with a detailed http 429 message to the client. This message contains information about the Google Cloud project such as the project name used, the project number, or the API Gateway URL. If you use a Load Balancer in front of the API Gateway, the API Gateway URL is usually hidden.

Here is an example:

{
    "message": "RESOURCE_EXHAUSTED:Quota exceeded for quota metric 'Read requests' and limit 'Read requests per minute' of service 'api-gw-xyz.apigateway.abc.cloud.goog' for consumer 'project_number:123456'.",
    "code": 429
}

Can I omit this information and just return an http 429 code? Or am I too paranoid?

Answer 1

The project number is not a secret. There is nothing an attacker can do with that knowledge. To use a project number or project ID requires authorized credentials.

Answer 2

Without an error message it could be difficult to identify that quota got exceeded and also when you are handling multiple projects in a single console then it would be difficult to identify which project got quota exceeded. As @John Hanley said there will be no issue or attack with the project number as it requires authorized credentials for every individual project.

As you said just return an http 429 code this error code basically indicates the user has sent too many requests in a given amount of time ("rate limiting") . So, It is difficult to understand what is causing the 429 error code.