Follow

Q&A: What are Best practices for configuring WAF Policy for API (REST) endpoint?

Question

  • What are best practices for configuring WAF Policy for API (REST) endpoint?
  • Useful since there are some differences between WWW and API traffic.

 

Environment

  • WAF proxy
  • L7DoS

 

Answer

Endpoints

Creating separate WAF policy / L7DoS profiles should be taken into consideration.

mceclip0.png

 

Commonly used HTTP methods

  • HTTP GET
  • HTTP POST
  • HTTP PUT
  • HTTP DELETE
  • HTTP PATCH
  • HTTP OPTIONS - used by Preflighted requests in CORS - requested by browsers.

 

   Response Codes

  • 400 Bad Request - Allowed by default in baseline
  • 401 Unauthorized - Allowed by default in baseline
  • 403 Forbidden
  • 404 Not Found - Allowed by default in baseline
  • 405 Method Not Allowed
  • 410 Gone
  • 415 Unsupported Media Type
  • 422 Unprocessable Entity
  • 429 Too Many Requests

Related: Q&A: Default HTTP Response Codes Allowed

 

User-Agent header

  • Should not always be considered as mandatory.
  • Customers may use custom UA headers - which should be taken into consideration.

 

L7DDoS Profiles

  • May be useful to use separate profile, as TPS rates can be higher for API, hence thresholds should be adjusted accordingly.
  • Can be used to limit overuse of API.

Related:

 

Related Content

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request