Before configuring API Security policies, you need to first create and maintain an API inventory.
Create API
- Click APIs in the left navigation bar to enter the API Inventory page.
- On the API definition sub page, you can click the “Create” button to create a new API. The configuration content includes two parts: “API Endpoint”, “Request Body and Parameter Contraints”.
API Endpoint
API Endpoint includes “Basic Configuration”, “Endpoint Configuration”, and “Authentication Configuration”.
The generation of authentication tokens requires the cooperation of the client for development, as detailed in Authentication Configuration.
Request Body and Parameter Contraints
- Request Body and Parameter Contraints include Request Body Contraint and Parameter Contraint.
- Request Body Contraint: Define compliant content for the request body, provide maximum constraints such as Body Limit, JSON Nesting Level, and number of JSON parameters, and limit the Content Type of the request. Control the security range of the received Body to prevent the API from receiving requests of excessive size. After enabling, the request Body contraint will be allowed to be executed, and requests that violate the restriction will be executed according to the processing actions configured under the “API Security” policy.
- Content-Type: Specify the Content Type of the request body, select “Any” to allow the request header to carry any type of content type; Selecting “Empty does not exist” prohibits requests to use any type of content type.
- FORM: Only Content Type is allowed as the FORM form type, such as application/x-www form urlencoded.
- JSON: Only Content Type is allowed as a type of JSON, such as application/JSON.
- ANY: Allow any type of content type to be carried in the request header.
- EMPTY and NON-EXISTENT: Requesting to carry content type is prohibited, and carrying any type of content type is illegal.
- Body Maximum Limit (bytes): The maximum limit allowed for requesting Body size, API requests greater than this limit will be considered illegal.
- Maximum Nesting Depth: Enter the maximum number of JSON nesting levels allowed in the request body. API requests exceeding this limit will be considered illegal.
- Maximum Number of JSON Parameters: The maximum number of JSON parameters allowed in the input request body. API requests exceeding this limit will be considered illegal.
- Parameter Constraint: Define compliant content for request parameters, finely verify the compliance of interface parameter names, parameter types, parameter ranges, and whether they must be included, effectively preventing illegal interface calls in unknown parameter situations. All position parameters default to loose mode, only detecting configured parameters; The Query String parameter can be specially defined to enable strict mode, and complete request parameters need to be configured. After enabling, it will allow the execution of request parameter restrictions. Requests that violate the restrictions will be executed according to the processing actions configured under the “API Security” policy.
- Query String Parameter Detection Mode:
- Loose mode (priority selection): Only detect configured parameters, and parameters that are not configured in the request will not be restricted.
- Strict mode (carefully selected): All parameters in the interface will be strictly verified in whitelist form, and the parameters that initiate the request must be in the configured parameter list. Note that the interface must be configured with complete Query String parameters.
When the API type in “API Endpoint - Endpoint Configuration” is selected as “When-Case API”, if strict mode is to be enabled, the Query String parameter in the When-Case API path needs to be configured as a parameter in the parameter limit to ensure the integrity of the parameter whitelist in Strict Mode, otherwise it will affect the parameter matching in Strict Mode.
After selecting the supported request methods in the “Basic Information - API endpoint configuration”, it is necessary to define parameter compliance specifications for each request method here. The request methods that support defining parameters include: GET, POST, PUT, HEAD, PATCH, OPTIONS, and DELETE.
- Definition of Non Request Body Parameters:
- Parameter Name: The name of the parameter.
- Parameter Location: The location where the parameter appears. Supports HTTP header, Query String, Cookie, and path parameters.
- Parameter Type: The type of the parameter. Supports Integers, Numbers, Strings, Booleans, and Enumeration.
- Value Range: When selecting “Integer” or “Number”, the range of numerical values can be specified. The numerical value includes the beginning and end, i.e. [minimum value, maximum value].
- Character Length: When selecting “string”, you can specify the length range of the string. The numerical value includes the beginning and end, i.e. [minimum value, maximum value]. When the parameter value contains Chinese characters, select the string type, and one Chinese character needs to be configured with a length of 3. Example: id=test, then the parameter id needs to be configured with a length of 4.
- Boolean Value: When “Boolean” is selected, the default Boolean value is “true; false”.
- Enumeration: When selecting “enumeration”, the enumeration item can be specified. Example of enumeration dictionary: true; false.
- Required?: When “Yes” is selected, the request must carry this parameter. Requests that do not carry this parameter are considered illegal requests.
- Description: You can fill in the note information for the current parameter.
- Request the definition of the Body parameter: Turn on the “Body Parameter Definition” switch to enable this feature. When turned off, the definition of the Body parameter will not take effect. Supports two configuration methods: “Form Form” and “JSON Format Definition”.
- FORM: When selecting “Form”, the configuration method is consistent with “Definition of Non Request Body Parameters”.
- JSON: When selecting “JSON”, the parameter format of the request body needs to be defined according to the JSON format.
- Parameter Name: The name of the parameter.
- Parameter Type: The type of the parameter. Supports integers, numbers, strings, booleans, enums, arrays, and JSON objects. The root node can only select arrays or JSON objects.
- The configuration of “Value range”, “Character Length”, “Boolean Value”, “Enumeration”, and “Required?” is consistent with the definition of “Definition of Non Request Body Parameters”.
When the parameter type is “Array”, it is necessary to further configure the specific types of parameters within the array, and the parameter types within the same array must be consistent. For example, when the parameter type is selected as “Array” and the parameter type of the array is configured as “Number”, all data in the array must be of “Number” type.
Batch Import API
If you want to import a batch of known APIs in bulk, you can click “Import” directly on the “API Definition” sub page. In the pop-up window, refer to the guided content to complete the API information filling, and click "Confirm Import".