radba02

API Security - Key Considerations for Securing APIs Both Internally & Externally

Blog Post created by radba02 Employee on Jul 21, 2016


Recently I constructed few policies for my API Security WebCast, which simulates the access to backend SOA service, but before routing the call to backend service, our policy (assumed to be in DMZ environment) will:

     a. Secure - Authenticate/Authorize through two factor authentication (2FA) using basic auth and mutual auth using X-509 cert through SSL transport.

     b. Protect - Code & SQL injection, CSRF, Payload size limit

     c. SLA Management - Rate limit, Quota and Time & Usage Restriction, and IP Restriction.

     d. Routing - content, header, query based routing capability

 

Policy also provides a sample exception handling mechanism and output is a HTML response

 

I have uploaded relevant policies, please make sure you create relevant SSL certificate and basic auth requirements, you may change the value (SLA Management) or pass relevant SQL & Code injection to receive relevant error messages. Also not providing relevant credentials or private key will return a exception.

Attachments

Outcomes