Block "code first" for data scheme generation


Is there a way to avoid creating new tables from the client in the backend?

If someone malicious get the API keys, might be able to spam the database with lot of new tables!

You can set DENY permissions for NotAuthenticatedUser for all tables. Check here

And what about AuthenticatedUsers?

A malicious attack could consist of:
1.- Register new user
2.- Start creating new tables

Maybe by doing some custom Server-code validation is the right answer? ie. if an authenticated user tries to creates a table -> respond with an error from the server