- What are best practices for configuring WAF Policy for API (REST) endpoint?
- Useful since there are some differences between WWW and API traffic.
- WAF proxy
Creating separate WAF policy / L7DoS profiles should be taken into consideration.
Commonly used HTTP methods
- HTTP GET
- HTTP POST
- HTTP PUT
- HTTP DELETE
- HTTP PATCH
- HTTP OPTIONS - used by Preflighted requests in CORS - requested by browsers.
- 400 Bad Request - Allowed by default in baseline
- 401 Unauthorized - Allowed by default in baseline
- 403 Forbidden
- 404 Not Found - Allowed by default in baseline
- 405 Method Not Allowed
- 410 Gone
- 415 Unsupported Media Type
- 422 Unprocessable Entity
- 429 Too Many Requests
- Should not always be considered as mandatory.
- Customers may use custom UA headers - which should be taken into consideration.
- May be useful to use separate profile, as TPS rates can be higher for API, hence thresholds should be adjusted accordingly.
- Can be used to limit overuse of API.
- Q&A: What is CORS? How Can Silverline Setup CORS policy?
- K34769490: Blocking HTTP OPTIONS method in HTTP requests
- Download: WAF Technical Questionnaire to Create WAF Policy