Use APIs to manage API Security

You can access the APIs to create, configure, and deploy an API Security.

Note:

To understand how to use API Security APIs to configure the feature, see the Nitro API documentation.

Steps Resource URL
  1 Create an API Definition https://adm.cloud.com/{customerid}/apisec/nitro/v1/config/apidefs
  2 Add an API proxy https://adm.cloud.com/apiproxies
  3 Deploy an API instance using the API Proxy https://adm.cloud.com/apiproxies/{customerid}/deployments
  4 Add API policies https://adm.cloud.com/{customerid}/apisec/nitro/v1/config/policies/{id}

Each API policy has a different config_spec object. It is an opaque object that contains a JSON dictionary to configure a policytype with specific values.

In this object, you can select an API resource and its methods using the following options:

  • api-resource-paths - Specify the API resource paths and methods that are defined in an API definition.

    Example:

     {
    "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
        "get": true,
        "post": false,
        "put": false,
        "delete": false
     }
     <!--NeedCopy-->
    
  • custom-rules - Specify the custom API resource paths and methods that might not exist in an API definition.

    Example:

     {
     "endpoints": ["/pet/categories", "/pet/findByName"],
        "get": true,
        "post": false,
        "put": false,
        "delete": false
     }
     <!--NeedCopy-->
    

With this configuration, the policy filters the incoming traffic requests that match the specified API resource paths.

For information about config_spec of each policy type, see API examples for policy types.

API examples for policy types

This section describes the supported API policy types and their configuration:

Rate limit

The following is an example configuration for the Ratelimit policy type. Specify the following configuration in the config_spec object:

{
    "policytype": "Ratelimit",
    "config_spec": {
        "api-resource-paths": {
            "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
            "get": true,
            "post": false,
            "put": false,
            "delete": false
        },
        "custom-rules": {},
        "threshold": "10",
        "timeslice": "20000",
        "limittype": "BURSTY",
        "api-respondertype": "DROP",
        "header_name": "x-api-key",
        "per_client_ip": true
    },
    "order_index": 1,
    "policy_name": "ratelimit_policy"
}
<!--NeedCopy-->

For more information on each attribute, see Rate limit policy.

OAuth

The following is an example API configuration for the JWT Auth validation policy type. Specify the following configuration in the config_spec object:

{
    "policytype": "JWT Auth Validation",
    "config_spec": {
        "api-resource-paths": {
            "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
            "get": true,
            "post": true,
            "put": false,
            "delete": false
        },
        "custom-rules": {},
        "jwks-uri": "https://uri.petstore.com",
        "issuer": "https://issuer.petstore.com",
        "audience": "petstore",
        "introspect-uri": "https://introspect.uri.com",
        "clientid": "client",
        "clientsecret": "clientsecret",
        "claims-to-save": ["scope", "scope2"],
        "allowed-algorithms": {
            "hs256": true,
            "rs256": true,
            "rs512": true
        }
    },
    "order_index": 2,
    "policy_name": "Jwt_auth_policy"
}
<!--NeedCopy-->

For more information on each attribute, see OAuth policy

Basic authentication

The following is an example API configuration for the BasicAuth policy type:

{
    "config_spec": {
        "api-resource-paths": {
            "delete": false,
            "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
            "get": true,
            "post": true,
            "put": false
        },
        "custom-rules": {}
    },
    "order_index": 3,
    "policy_name": "Auth_BaSIC",
    "policytype": "BasicAuth"
}
<!--NeedCopy-->

For more information on each attribute, see Basic authentication policy.

No authentication

The following is an example API configuration for the NoAuth policy type:

{
    "config_spec": {
        "api-resource-paths": {
            "delete": false,
            "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
            "get": true,
            "post": false,
            "put": false
        },
        "custom-rules": {}
    },
    "order_index": 4,
    "policy_name": "no_auth_policy",
    "policytype": "NoAuth"
}
<!--NeedCopy-->

Bot

The following is an example API configuration for the Bot policy type:

{
    "config_spec": {
        "api-resource-paths": {
            "delete": false,
            "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
            "get": false,
            "post": false,
            "put": false
        },
        "bot-prof-name": "apisec_test_profile",
        "custom-rules": {}
    },
    "order_index": 5,
    "policy_name": "bot_policy",
    "policytype": "Bot"
}
<!--NeedCopy-->

For more information on each attribute, see Bot policy.

WAF

The following is an example API configuration for the WAF policy type:

{
    "config_spec": {
        "api-resource-paths": {
            "delete": false,
            "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
            "get": false,
            "post": false,
            "put": false
        },
        "waf-prof-name": "apisec_waf_profile",
        "custom-rules": {}
    },
    "order_index": 6,
    "policy_name": "waf_policy",
    "policytype": "WAF"
}
<!--NeedCopy-->

For more information on each attribute, see WAF policy.

Header Rewrite

The following is an example API configuration for the Header Rewrite policy type, specify this configuration in the config_spec object:

{
    "policytype": "Header Rewrite",
    "config_spec": {
        "api-resource-paths": {
            "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
            "get": true,
            "post": true,
            "put": false,
            "delete": false
        },
        "custom-rules": {},
        "rewrite-policy-header-field-name": "org",
        "rewrite-policy-header-field-val": "Citrix",
        "rewrite-policy-header-field-new-val": "Citrite"
    },
    "order_index": 7,
    "policy_name": "header_rewrite_pol"
}
<!--NeedCopy-->

For more information about each attribute, see Header Rewrite policy.

URI Path Rewrite

The following is an example API configuration for the URI Path Rewrite policy type:

{
    "config_spec": {
        "api-resource-paths": {
            "endpoints": ["/store/order", "/store/inventory"],
            "delete": false,
            "get": true,
            "post": true,
            "patch": false,
            "put": false
        },
        "custom-rules": {
            "delete": false,
            "endpoints": [],
            "get": false,
            "post": false,
            "patch": false,
            "put": true
        },
        "path-rewrite-params": [
        {
            "insert-segment-position": "beginning",
            "new-path-value": "v3",
            "old-path-value": "v2",
            "action-type": "replace path segment"
        },
        {
            "insert-segment-position": "beginning",
            "new-path-value": "begin",
            "action-type": "insert path segment"
        },
        {
            "insert-segment-position": "end",
            "new-path-value": "end",
            "action-type": "insert path segment"
        },
        {
            "insert-segment-position": "before",
            "new-path-value": "before",
            "old-path-value": "store",
            "action-type": "insert path segment"
        },
        {
            "insert-segment-position": "after",
            "new-path-value": "after",
            "old-path-value": "store",
            "action-type": "insert path segment"
        }
        ]
    },
        "order_index": 24,
        "policy_name": "eats_uripathrewrite",
        "policytype": "URI Path Rewrite”
}
<!--NeedCopy-->

For more information about each attribute, see URI Path Rewrite policy.

Authorization

The following is an example API configuration for the Authorization policy type. Specify the following configuration in the config_spec object:

{
    "policytype": "Authorization",
    "config_spec": {
        "api-resource-paths": {
            "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
            "get": true,
            "post": true,
            "put": false,
            "delete": false
        },
        "custom-rules": {},
        "claims": [{
            "name": "scope",
            "values": ["value1", "value2"]
        }]
    },
    "order_index": 8,
    "policy_name": "authorization"
}
<!--NeedCopy-->

For more information about each attribute, see Authorization policy.

Deny

The following is an example API configuration for the Deny policy type. Specify the following configuration in the config_spec object:

{
    "policytype": "Deny",
    "config_spec": {
        "api-resource-paths": {
            "endpoints": ["/pet", "/pet/findByStatus", "/pet/findByTags"],
            "get": true,
            "post": true,
            "put": false,
            "delete": false
        },
        "custom-rules": {},
        "api-denytype": "RESPONDWITH"
    },
    "order_index": 9,
    "policy_name": "deny_policy"
}
<!--NeedCopy-->

In api-denytype, you can specify one of the following values:

  • RESPONDWITH
  • RESET

For more information about each attribute, see Deny rule.

Use APIs to manage API Security