API Security is the prevention of unwanted or abusive usage of an API. StackPath's WAF offers WAAP capabilities that allow you to protect both your web applications and APIs simultaneously.
Our WAF possesses pre-defined API Protection policies that can be enabled/disabled with the click of a button.
This guide will explain each of these API Protection policies in more detail.
All of these rules are disabled by default. To enable or disable a protection vector, simply click on the toggle switch to turn it off or on.
Auth Token Protection
Prevents multiple authentication attempts and blocks access for users with multiple invalid token attempts.
Define your 0Auth token endpoints prior to enabling this policy to ensure they are tagged appropriately.
Please see Tag Generating Rules - Auth Token Protection for more information.
Sensitive Data Exposure
Block API responses that contain PII data (phone numbers, SSNs, email addresses, credit card numbers, etc).
This check can be disabled for certain API endpoints by tagging them as needed, meaning you can continue to benefit from the protection of unknown sensitive data leakage, while still allowing legitimate known resources to create a response without being interrupted by the WAF.
Please see Tag Generating Rules - Ignore Sensitive Data Exposure Detection for more information.
Invalid API Traffic
Block API requests that do not conform to a JSON structure. This policy protects your APIs by inspecting the keys and values within the JSON. If the keys and values are not properly structured, the request will be blocked.
API endpoint authorization can be broken down into three levels:
- Admins - Users who will be able to access any endpoint.
- Privileged - Users who will be able to access privileged access endpoints.
- Non-privileged - Users who will be blocked from all access endpoints that are privileged or admin.
To ensure that only admins and privileged users have access to sensitive endpoints, you can create tags that are applied when the defined header, token, etc are present. Then use the API Discovery feature to control access based on these tags.
Please see Tag Genrating Rules - API-Level Authorization for more information.
Non-Baselined API Requests
Enable a positive security policy that blocks requests to an API that is not part of the API baseline. The API baseline is where your protected API endpoints are listed. This is also where you can manually add API endpoints if you choose not to perform a network or API specification file scan.
Please see API Discovery - API Baseline for more information.