If possible, use the reject-unauthenticated-requests global configuration property to prevent all clients from issuing unauthenticated requests. If a small, well-defined set of requests should be allowed to unauthenticated clients, then you can use the allowed-unauthenticated-request-criteria property to permit them while rejecting all other types of requests.

If it is not feasible to use the reject-unauthenticated-requests property, then consider creating a client connection policy that matches unauthenticated connections. Use it to restrict what types of requests are allowed for unauthenticated clients and to impose significant resource limits for those clients.