Skip to main content

Advanced API protection

Our WAAP includes a pre-defined Advanced API protection policy group with multiple policies, allowing you to securely manage your API traffic and protect against unwanted or abusive usage of APIs.

Info

This policy group is available in the Enterprise plan. To enable it for your domain, contact our sales team.

Configure API Protection rules

Before you enable the API Protection rules, you need to configure access to APIs by using reserved tags. Without this configuration, the rules will not affect your API traffic.

You can review and configure API Protection rules in the CDB Technical Web Portal:

1. Navigate to WAAP > API Protection.

2. In the domain dropdown at the top of the page, select the needed domain.

3. View and adjust the API protection rules as needed.

Info

All advanced API protection policies are disabled by default. To enable a policy, turn on the toggle near that policy.

Auth token protection

Prevent multiple authentication attempts and block access for users who repeatedly try to use invalid tokens to access the API.

Before enabling this policy, you need to define your 0Auth token endpoints to ensure they are correctly tagged. Learn instructions on how to do this, check out the Tag generating rules guide.

Sensitive data exposure

Block API responses that contain personally identifiable information (PII) such as phone numbers, SSNs, email addresses, or credit card numbers.

You can turn off this policy for specific API endpoints by tagging them as needed. In this case, you'll remain protected against unknown sensitive data leakage, while allowing legitimate known resources to create a response without being interrupted by the WAAP.

Invalid API traffic

Block API requests that don't conform to a JSON structure. This policy protects your APIs by inspecting the keys and values within the JSON. If they are not properly structured, the request will be blocked.

API-level authorization

There are three levels of API endpoint authorization:

  • Admin : Users who can access any endpoint.

  • Privileged : Users who can access privileged access endpoints.

  • Non-privileged : Users who will be blocked from all access endpoints that are privileged or admin.

To ensure only admins and privileged users can access sensitive endpoints, you can create tags that will be applied when the defined header, token, or other identifier is present. You can then use the API Discovery feature and create WAAP rules to control API access based on these tags.

Non-baselined API requests

Enable a positive security policy that blocks requests to endpoints that aren't part of the API baseline—a defined version of your API where all protected endpoints are listed.

You can also add endpoints to the API baseline if you don't want to perform a network or API specification file scan.

Advanced API Protection policies protect APIs against authentication abuse, malformed requests, unauthorized access, sensitive data exposure, and other API-specific threats. Before enabling these policies, configure API access with reserved tags — without that configuration the policies have no effect. All policies are disabled by default.

An API token is required, along with the ID of a WAAP-protected domain and the Python or Go SDK installed for SDK examples. This policy group is available on the Enterprise WAAP plan only.

export GCORE_API_KEY="{YOUR_API_KEY}"
export WAAP_DOMAIN_ID="{YOUR_DOMAIN_ID}"

View policy states

Retrieve the current mode of all Advanced API Protection policies for a domain.

import gcore
import os

client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])

rule_sets = client.waap.domains.list_rule_sets(domain_id)
adv_set = next(
    rs for rs in rule_sets if rs.resource_slug == "advanced-api-protection"
)

for policy in adv_set.rules:
    status = "enabled" if policy.mode else "disabled"
    print(f"{policy.name}: {status} ({policy.id})")
package main

import (
    "context"
    "fmt"
    "os"
    "strconv"

    gcore "github.com/G-Core/gcore-go"
    "github.com/G-Core/gcore-go/option"
)

func main() {
    client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
    domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

    ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
    for _, rs := range *ruleSets {
        if rs.ResourceSlug == "advanced-api-protection" {
            for _, policy := range rs.Rules {
                status := "disabled"
                if policy.Mode {
                    status = "enabled"
                }
                fmt.Printf("%s: %s (%s)\n", policy.Name, status, policy.ID)
            }
        }
    }
}
curl -X GET "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/${WAAP_DOMAIN_ID}/rule-sets" \
  -H "Authorization: APIKey ${GCORE_API_KEY}" \
  | jq '.[] | select(.resource_slug == "advanced-api-protection") | .rules[] | {name, id, mode}'

The response includes each policy in the group with its ID and current state. mode: true means enabled; mode: false means disabled.

The API may also return policies that belong to the Protocol validation policy group. Those policies are part of the same API resource group but are configured separately in the Customer Portal under WAAP > Bot Management.

Toggle a policy

Switch a policy between enabled and disabled. Each call flips the current mode. Use the policy ID returned by the View policy states request.

This endpoint toggles the current state rather than setting a specific value. If the target state is unknown, check the current policy state first using the View policy states request.

import gcore
import os

client = gcore.CDB(api_key=os.environ["GCORE_API_KEY"])
domain_id = int(os.environ["WAAP_DOMAIN_ID"])

# Find the policy ID by name
rule_sets = client.waap.domains.list_rule_sets(domain_id)
adv_set = next(
    rs for rs in rule_sets if rs.resource_slug == "advanced-api-protection"
)
policy = next(r for r in adv_set.rules if r.name == "Auth token protection")

result = client.waap.domains.policies.toggle(policy.id, domain_id=domain_id)
status = "enabled" if result.mode else "disabled"
print(f"Auth token protection is now {status}")
package main

import (
    "context"
    "fmt"
    "os"
    "strconv"

    gcore "github.com/G-Core/gcore-go"
    "github.com/G-Core/gcore-go/option"
    "github.com/G-Core/gcore-go/waap"
)

func main() {
    client := gcore.NewClient(option.WithAPIKey(os.Getenv("GCORE_API_KEY")))
    domainID, _ := strconv.ParseInt(os.Getenv("WAAP_DOMAIN_ID"), 10, 64)

    // Find the policy ID by name
    ruleSets, _ := client.Waap.Domains.ListRuleSets(context.Background(), domainID)
    var policyID string
    for _, rs := range *ruleSets {
        if rs.ResourceSlug == "advanced-api-protection" {
            for _, p := range rs.Rules {
                if p.Name == "Auth token protection" {
                    policyID = p.ID
                }
            }
        }
    }

    result, _ := client.Waap.Domains.Policies.Toggle(context.Background(), policyID, waap.DomainPolicyToggleParams{DomainID: domainID})
    status := "disabled"
    if result.Mode {
        status = "enabled"
    }
    fmt.Printf("Auth token protection is now %s\n", status)
}
# Set POLICY_ID to the policy ID from the Policy reference or View policy states response
export POLICY_ID="{POLICY_ID}"

curl -X PATCH "https://api.cdb-staging.cdn.orange.com/waap/v1/domains/${WAAP_DOMAIN_ID}/policies/${POLICY_ID}/toggle" \
  -H "Authorization: APIKey ${GCORE_API_KEY}"

Response:

{"mode": true}

The API returns the updated policy object. mode: true confirms the policy is now enabled; mode: false confirms disabled.

Policy reference