Forum Discussion

Cypher's avatar
Cypher
Icon for Cirrus rankCirrus
Apr 05, 2023

How to do API Protection with 3scale API Manager?

Hi everyone, I want to protect API calls via the API protection with F5. It uses a swagger OpenAPI Spec file 2.0 or 3.0 to control all the methods - urls and more. The API calls are managed by the ...
  • shsingh's avatar
    shsingh
    Apr 14, 2023

    Hi Cypher ,

    The approach I would take to a scenario like this is to include responses in your Policy Builder (if you have that set for the policy).

    This will mean that you have a way of 'tracking' the URIs that are sent in the responses.

    At a very basic level, API discovery technologies will have a API schema (which in your case you don't), and then monitor the responses sent back from the origin servers. The drift between these is the 'shadow APIs'. This is not all of the mechanisms in API discovery, but just giving you some ideas on how you can implement a similar type of control with AWAF.

    By the way your comment about APIs being onboarded and offboarded is a concern, this is the very thing that needs to have a level of control - at least to a transparent/logging level. In most not all scenarios, you should not be creating too many Hostname or differfent URI endpoints in production regularly, as it may be the services that host those URIs that can change daily, etc. But if you are in a situation where the URI endpoints and Hostnames terminating on the API gateway change quite frequently, then definitely having a policy that tracks responses is a good measure as a start.

     

    Also, to point out, that the gateway vendor should not matter in this scenario as at a foundational level you are in front of something that speaks HTTP, URIs, JSON, etc.