Our WAAP includes a pre-defined Advanced API protection policy group with multiple policies, allowing you to securely manage your API traffic and protect against unwanted or abusive usage of APIs.
InfoThis policy group is available in the Enterprise plan.

Configure policy group

Before you enable the Advanced API protection policies, you need to configure access to APIs by using reserved tags. Without this configuration, the policies will not affect your API traffic. You can review the Advanced API protection policy group and enable or disable its policies in the Gcore Customer Portal: 1. Navigate to WAAP > Domains.
Domains page in the Customer Portal
2. Find the domain where you want to configure the policy and click the domain name to open it. 3. On the Policies page that opens, click Advanced API protection to expand the section and adjust the policies.
WAAP policies page with the highlighted advanced AIP protection policy
InfoAll advanced API protection policies are disabled by default. To enable a policy, turn on the toggle near that policy.

Auth token protection

Prevent multiple authentication attempts and block access for users who repeatedly try to use invalid tokens to access the API. Before enabling this policy, you need to define your 0Auth token endpoints to ensure they are correctly tagged. Learn instructions on how to do this, check out the Tag generating rules guide.

Sensitive data exposure

Block API responses that contain personally identifiable information (PII) such as phone numbers, SSNs, email addresses, or credit card numbers. You can turn off this policy for specific API endpoints by tagging them as needed. In this case, you’ll remain protected against unknown sensitive data leakage, while allowing legitimate known resources to create a response without being interrupted by the WAAP.

Invalid API traffic

Block API requests that don’t conform to a JSON structure. This policy protects your APIs by inspecting the keys and values within the JSON. If they are not properly structured, the request will be blocked.

API-level authorization

There are three levels of API endpoint authorization:
  • Admin : Users who can access any endpoint.
  • Privileged : Users who can access privileged access endpoints.
  • Non-privileged : Users who will be blocked from all access endpoints that are privileged or admin.
To ensure only admins and privileged users can access sensitive endpoints, you can create tags that will be applied when the defined header, token, or other identifier is present. You can then use the API Discovery feature and create WAAP rules to control API access based on these tags.

Non-baselined API requests

Enable a positive security policy that blocks requests to endpoints that aren’t part of the API baseline—a defined version of your API where all protected endpoints are listed. You can also add endpoints to the API baseline if you don’t want to perform a network or API specification file scan.