Before configuring API Security policies, you need to first create and maintain an API inventory.

Create API

1. Click API Inventory in the left navigation bar to enter the API Inventory page.
2. On the API definition sub page, you can click Create button to create a new API. The configuration content includes two parts: “API Endpoint”, “Request Body and Parameter Contraints”.

API Endpoint

API Endpoint includes “Basic Configuration”, “Endpoint Configuration”, and “Authentication Configuration”.

• Basic Configuration:

  • API Name: The name of a custom API, which cannot be the same as an existing API.
  • API Group: Customize the grouping name of the API.
  • Control Group: Select the control group that you want to apply the API (control group is a set of domains)
  • Hostname: Select the specific domain that the API belongs to.
  • Description: Fill in the API’s note information.

• Endpoint Configuration:

  • Request Method: Specify the request methods supported by the API, such as GET, POST, Delete, UPDATE, etc. API requests that are not within the specified request method will be considered illegal.
  • API Type: Specify the type of API.
    • Common API: A normal interface in the path that does not include the query string parameter, such as: http://www.test.com/api .
    • When-Case API: The path contains query string parameters, such as: http://www.test.com/api?action=1 Related to http://www.test.com/api?action=2 It’s two different interfaces.
  • API Base Path: Specify the path of the API.
    • equals: requires entering the complete path, e.g./order/v1
    • regex match: requires entering a regular expression to match the endpoint path, e.g./order/*
  • Define variables in the path: After enabling the matching path parameters, you can use curly braces ({}) to define the parameters of the endpoint path. For example, when there are multiple path parameters, they can be configured as:/basePath/{pathParam1}, {pathParam2}, {pathParam3}. The configured path parameters can go to “Request Body and Parameter Contraints” for further parameter compliance configuration based on their defined parameter names.
  • Case sensitive: specifies whether the endpoint path is case sensitive. If case sensitive, for example:/Order and/Order are two different API paths.

• Authentication Configuration:

  • No Authentication Required: No need to authenticate the interface and enter other detection processes;
  • Key Pair Authentication: The client generates an authentication token through the default key and algorithm generated by the network host, and can configure specific parameter names, parameter locations, and authentication validity periods for the authentication token to be verified.

The generation of authentication tokens requires the cooperation of the client for development, as detailed in Authentication Configuration.

Request Body and Parameter Contraints

• Request Body and Parameter Contraints include Request Body Contraint and Parameter Contraint.
  • Request Body Contraint: Define compliant content for the request body, provide maximum constraints such as Body Limit, JSON Nesting Level, and number of JSON parameters, and limit the Content Type of the request. Control the security range of the received Body to prevent the API from receiving requests of excessive size. After enabling, the request Body contraint will be allowed to be executed, and requests that violate the restriction will be executed according to the processing actions configured under the “API Security” policy.
  • Content-Type: Specify the Content Type of the request body, select “Any” to allow the request header to carry any type of content type; Selecting “Empty does not exist” prohibits requests to use any type of content type.
    • FORM: Only Content Type is allowed as the FORM form type, such as application/x-www form urlencoded.
    • JSON: Only Content Type is allowed as a type of JSON, such as application/JSON.
    • ANY: Allow any type of content type to be carried in the request header.
    • EMPTY and NON-EXISTENT: Requesting to carry content type is prohibited, and carrying any type of content type is illegal.
  • Body Maximum Limit (bytes): The maximum limit allowed for requesting Body size, API requests greater than this limit will be considered illegal.
  • Maximum Nesting Depth: Enter the maximum number of JSON nesting levels allowed in the request body. API requests exceeding this limit will be considered illegal.
  • Maximum Number of JSON Parameters: The maximum number of JSON parameters allowed in the input request body. API requests exceeding this limit will be considered illegal.
• Parameter Constraint: Define compliant content for request parameters, finely verify the compliance of interface parameter names, parameter types, parameter ranges, and whether they must be included, effectively preventing illegal interface calls in unknown parameter situations. All position parameters default to loose mode, only detecting configured parameters; The Query String parameter can be specially defined to enable strict mode, and complete request parameters need to be configured. After enabling, it will allow the execution of request parameter restrictions. Requests that violate the restrictions will be executed according to the processing actions configured under the “API Security” policy.
  • Query String Parameter Detection Mode:
    • Loose mode (priority selection): Only detect configured parameters, and parameters that are not configured in the request will not be restricted.
    • Strict mode (carefully selected): All parameters in the interface will be strictly verified in whitelist form, and the parameters that initiate the request must be in the configured parameter list. Note that the interface must be configured with complete Query String parameters.

When the API type in “API Endpoint - Endpoint Configuration” is selected as “When-Case API”, if strict mode is to be enabled, the Query String parameter in the When-Case API path needs to be configured as a parameter in the parameter limit to ensure the integrity of the parameter whitelist in Strict Mode, otherwise it will affect the parameter matching in Strict Mode.

After selecting the supported request methods in the “Basic Information - API endpoint configuration”, it is necessary to define parameter compliance specifications for each request method here. The request methods that support defining parameters include: GET, POST, PUT, HEAD, PATCH, OPTIONS, and DELETE.

• Definition of Non Request Body Parameters:
  • Parameter Name: The name of the parameter.
  • Parameter Location: The location where the parameter appears. Supports HTTP header, Query String, Cookie, and path parameters.
  • Parameter Type: The type of the parameter. Supports Integers, Numbers, Strings, Booleans, and Enumeration.
    • Value Range: When selecting “Integer” or “Number”, the range of numerical values can be specified. The numerical value includes the beginning and end, i.e. [minimum value, maximum value].
    • Character Length: When selecting “string”, you can specify the length range of the string. The numerical value includes the beginning and end, i.e. [minimum value, maximum value]. When the parameter value contains Chinese characters, select the string type, and one Chinese character needs to be configured with a length of 3. e.g. id=test, then the parameter id needs to be configured with a length of 6.
    • Boolean Value: When “Boolean” is selected, the default Boolean value is “true; false”.
    • Enumeration: When selecting “enumeration”, the enumeration item can be specified. Example of enumeration dictionary: true; false.
  • Required?: When “Yes” is selected, the request must carry this parameter. Requests that do not carry this parameter are considered illegal requests.
  • Description: You can fill in the note information for the current parameter.
• Request the definition of the Body parameter: Turn on the “Body Parameter Definition” switch to enable this feature. When turned off, the definition of the Body parameter will not take effect. Supports two configuration methods: “Form Form” and “JSON Format Definition”.
  • FORM: When selecting “Form”, the configuration method is consistent with “Definition of Non Request Body Parameters”.
  • JSON: When selecting “JSON”, the parameter format of the request body needs to be defined according to the JSON format.
    • Parameter Name: The name of the parameter.
    • Parameter Type: The type of the parameter. Supports integers, numbers, strings, booleans, enums, arrays, and JSON objects. The root node can only select arrays or JSON objects.
    • The configuration of “Value range”, “Character Length”, “Boolean Value”, “Enumeration”, and “Required?” is consistent with the definition of “Definition of Non Request Body Parameters”.

When the parameter type is “Array”, it is necessary to further configure the specific types of parameters within the array, and the parameter types within the same array must be consistent. For example, when the parameter type is selected as “Array” and the parameter type of the array is configured as “Number”, all data in the array must be of “Number” type.

Batch Import API

If you want to import a batch of known APIs in bulk, you can click “Import” directly on the “API Definition” sub page. In the pop-up window, refer to the guided content to complete the API information filling, and click "Confirm Import".