API Protection Smart Tags are one of the many key offerings that contribute to our security platform's status as a WAAP. Listed below are a few things you can do with API protection Smart Tags.
A WAF rule can be created to generate access tags that override restriction tags on an API endpoint.
Step 1: You can create two types of tags that control access to different API endpoints via the API Discovery feature:
Click on the API Baseline tab in the API Discovery section to view these new endpoints and groups.
Step 2: Create two tags that will define two types of users:
The API-Level Authorization Policy allows you to tag restricted endpoints with one of the access tags and tag users if they have access to either role on login. In this case, the system will block requests that do not have the right access user tag. Admin users will never be restricted to any of the Access endpoints.
In other words, these tags are used to define different levels of authorization.
- Admin users will be able to access any endpoint.
- Privileged users will be able to access privileged access endpoints.
- Non-privileged users will be blocked from all access endpoints that are privileged or admin.
All of the tags have to be defined before enabling the policy.
Auth Token Protection
Auth URL - OAuth endpoints (
oauth2/v1/token) will help our system detect:
- Multiple failed login attempts.
- Multiple requests with unauthorized tokens.
- Multiple requests to forbidden paths.
Ignore Sensitive Data Exposure Detection
This functionality will notify the WAF of legit PII data exposure in the response, and exclude them from our API Sensitive Data Exposure policy. Types of data include phone numbers, SSNs, email addresses, credit card numbers, etc.
This means you can still benefit from the protection of unknown sensitive data leakage while still allowing legit known resources to create a response without being interrupted by the WAF.