When a configured quota is exceeded, the API Gateway responds with a detailed http 429 message to the client. This message contains information about the Google Cloud project such as the project name used, the project number, or the API Gateway URL. If you use a Load Balancer in front of the API Gateway, the API Gateway URL is usually hidden.
Here is an example:
{
"message": "RESOURCE_EXHAUSTED:Quota exceeded for quota metric 'Read requests' and limit 'Read requests per minute' of service 'api-gw-xyz.apigateway.abc.cloud.goog' for consumer 'project_number:123456'.",
"code": 429
}
Can I omit this information and just return an http 429 code? Or am I too paranoid?
The project number is not a secret. There is nothing an attacker can do with that knowledge. To use a project number or project ID requires authorized credentials.