Recently I constructed few policies for my API Security WebCast, which simulates the access to backend SOA service, but before routing the call to backend service, our policy (assumed to be in DMZ environment) will:
a. Secure - Authenticate/Authorize through two factor authentication (2FA) using basic auth and mutual auth using X-509 cert through SSL transport.
b. Protect - Code & SQL injection, CSRF, Payload size limit
c. SLA Management - Rate limit, Quota and Time & Usage Restriction, and IP Restriction.
d. Routing - content, header, query based routing capability
Policy also provides a sample exception handling mechanism and output is a HTML response
I have uploaded relevant policies, please make sure you create relevant SSL certificate and basic auth requirements, you may change the value (SLA Management) or pass relevant SQL & Code injection to receive relevant error messages. Also not providing relevant credentials or private key will return a exception.