API security is increasingly important on the web today, thanks to microservice architectures, mobile apps, and other growing trends. It’s a broad subject, and includes requirements such as:
The last requirement (preventing API abuse) is an especially complicated task. Endpoints are subject to a wide variety of malicious activities: hostile bots, volumetric attacks, SQL/code injection attempts, and so on.
As an Envoy plugin, Curiefense focuses on HTTP traffic filtering; it detects and blocks threats within the incoming requests sent to an endpoint. Before discussing them, let’s talk about API protection in general.
Many security solutions don’t protect APIs to the same degree as they do for web applications. There are a couple of reasons for this.
First, in the early days of the web, APIs were less important than they are today. Few security solutions were designed with them in mind, and so API security features tended to be added on later. With Curiefense, we didn’t have this problem; we had the opportunity to build in API protection from the ground up.
The second issue is that APIs have some unique security requirements, compared to web apps. Some of the conventional techniques used to secure app traffic don’t work for APIs. For example, a traditional way to detect hostile bots is to verify the user’s browser environment—but for an API user, there is no browser to verify.
Here’s how Curiefense addresses these challenges.
Curiefense protects all forms of traffic equally. Calls to a REST API enjoy the same security mechanisms (WAF, DDoS, rate limiting, session control, etc.) as the requests sent to a site or web app.
So, it defends APIs against the full spectrum of web-based attacks: SQL/code injection, XSS, DDoS, ATO (Account Takeover), app/API abuse, vulnerability scans, payment/gift card fraud, input fuzzing, scraping, etc. etc. etc.
All incoming traffic (for web apps, sites, service APIs, mobile/native clients, and so on) is processed using the same tag-based workflow (discussed in-depth in a previous article), customized for the type of requests being filtered.
This means that administration is exactly the same for APIs as for web applications. All security rulesets are configured and assigned the same way, regardless of the way they are used. We wanted it to be equally straightforward in all use cases, whether you’re defining a policy for an individual site URL or you’re assigning rulesets to all API endpoints that match a specified regex.
Curiefense protects APIs using a variety of security mechanisms. The categories are:
The next two articles in this series will discuss these mechanisms in detail.