How to implement API protection?
To set up API protection, click the ‘CDN’ tab on the navigation bar, and navigate to 'Enhanced security', then go to 'Firewall rules', click the ‘Add rule’ button, and choose ‘API protection’.
Here are the 3 simple steps to implement API protection.
Step 1: Setup API protection rule
First, enter a rule name. Then you can specify the type of operator in the ‘URI in request w/o query string’ and the corresponding value that you want to apply the API protection.
The value is the resource or path that you wish to authenticate. The operator defines the rule on how the specified value and the ‘URI in request w/o query string’ will relate to each other in order to produce a valid response.
You can choose the type of operators that you would like to use: regex, streq, contains, within, prefix, suffix, and include.
If the user request matches the rules you defined, THEN the API protection is initiated. To learn more about the definition of each operator, see this article.
Step 2: Define time-limited API authentication token
To define a time-limited token for API authentication, you need to enter a key, set the token lifespan, and a custom parameter.
- Key: the secret code that will be given to the end-user in order to access the API service. It can be any letters, numbers, or special characters.
- Token lifespan: the length of time the end-user can access the API service using the key.
- Custom parameter: the name assigned to represent the key.
You also have the option to activate the ‘rate limiting’ feature by switching on the toggle. By activating rate limit, you can set the maximum number of queries allowed per minute, and the block time.
The block time is the amount of time that queries will have to be blocked, if the queries exceed the maximum number of queries per minute.
The key and token settings defined in this step will be used by the authentication server to create the API token.
Step 3: Generate backend scripts for API protection
The final step is to generate a backend script for API protection. In this step, you can review all the rule details you had set, and then copy the generated script to your authentication server.
Mlytics offers 4 types of program languages that you can choose when implementing this. You can choose between Python, PHP, Go, and node.js.
The script will be used by the authentication server to generate API tokens to be given to verified users, in the form of custom parameter.
The custom parameter needs to be the last parameter in the query string. You can test whether the URLs are being generated correctly on the server by enabling the firewall rules and then by monitoring the WAF analytics at ‘Enhanced security’ analytics dashboard.
To understand how Mlytics API protection works, follow this link.