Hosting B4J on your own (at home): Bad idea
Hosting B4J on a hosted server: Ask your provider which possibilities they offer. They will have a strong infrastructure to protect your server (as far as it is technically possible).
Whenever possible:
- check the ip addresses (requests per time > x -> don't react anymore)
- use a login / password protection (wrong pw > x times -> don't react anymore for 1 hour or so)
- use API-Keys (like in Firebase messaging) and check it
- use encryption
Use another frontend:
- Though B4J is excellent and does a good job serving requests, but... There is a reason why the world is using Apache/Tomcat, etc. They have experienced the same situations and have solutions for that. B4J can work in the background and let the dirty work be done by Apache.
- My apps use Google FireBase messaging for push notofications (so Google has to deal with it). All other parts use php/MySQL via Apache hosted by my provider. An attacker has to get through Google, my provider, Apache, some php logic, encryption, passwords, ip address checks, etc.
One day I had a typo in a pw when testing. After 3 tries my provider blocked my ip address completely (I was wondering why my HttpUtils job did not get any respond from my server anymore). Took me some time but: Good job!
After all: A flooding is hard to protect from.
that I would not be able to use Apache for my purpose (though I have used wampp for other reasons).