Apigee has several features for enforcing API security policies:
Authentication - Apigee supports various authentication mechanisms like API keys, OAuth, and LDAP. It can authenticate API clients before granting access.
Authorization - Apigee allows specifying which API resources a client has access to based on their role, group membership, or other attributes. This enforces fine-grained authorization.
Rate limiting - Apigee can limit the number of API requests a client can make over a given time period. This prevents API abuse and denial of service attacks.
DDoS protection - Apigee can detect and block distributed denial of service attacks on your APIs. It uses techniques like request challenge and SYN cookie to mitigate DDoS traffic.
SSL/TLS termination - Apigee can terminate SSL/TLS connections at the edge, decrypting requests before routing them to backend services. This offloads SSL processing from origins.
CORS protection - Apigee enforces CORS (Cross-Origin Resource Sharing) policies to prevent unauthorized cross-site API calls from web browsers.
API signature validation - Apigee can validate the signatures of incoming API requests to confirm they have not been tampered with.
Data masking - Apigee allows masking or encrypting sensitive data fields in API responses for added security.
Policy routing - Apigee routes requests to different backends or applies different policies based on attributes like client ID, API key, URL parameters, or headers.
All of these security policies are defined and configured through Apigee's management UI and can be applied at the global, API, or resource level. Apigee then enforces the policies for all incoming API requests.
Hope this helps give you an idea of the types of API security policies Apigee supports! Let me know if you have any other questions.
No comments:
Post a Comment