---
title: Prevent unauthenticated requests
description: Preventing requests from unauthenticated clients creates an initial hurdle that attackers must overcome for online attacks against the server. Whenever feasible, clients should be required to authenticate before they are allowed to issue requests.
component: pingdirectory
version: 11.0
page_id: pingdirectory:pingdirectory_security_guide:pd_sec_prevent_unauthn_requests
canonical_url: https://docs.pingidentity.com/pingdirectory/11.0/pingdirectory_security_guide/pd_sec_prevent_unauthn_requests.html
revdate: September 13, 2023
---

# Prevent unauthenticated requests

Preventing requests from unauthenticated clients creates an initial hurdle that attackers must overcome for online attacks against the server. Whenever feasible, clients should be required to authenticate before they are allowed to issue requests.

If possible, use the `reject-unauthenticated-requests` global configuration property to prevent all clients from issuing unauthenticated requests. If a small, well-defined set of requests should be allowed to unauthenticated clients, then you can use the `allowed-unauthenticated-request-criteria` property to permit them while rejecting all other types of requests.

If it is not feasible to use the `reject-unauthenticated-requests` property, then consider creating a client connection policy that matches unauthenticated connections. Use it to restrict what types of requests are allowed for unauthenticated clients and to impose significant resource limits for those clients.