What all different API policies should be applied on different API levels like Experience, Process and System Level?
Experience
- XML or JSON threat protection – this will protect against the oversized XML or JSON payload
- Client ID enforcement – authentication is need for proper use of an API, only client authorized can use the API and no one else
- SLA-based Rate Limiting – this is more need in case we want to monetize an API otherwise ignored e.g.
- Free – 20 request per minute
- Unlimited – 100K request per minute
- IP blacklisting – this can be used if we want to limit the consumption of an API to particular IPs e.g. IPs know for hacking etc.
- Tokenization – to tokenize any element which can be sensitive e.g. credit cards etc.
- HTTP Caching – in case we think the response don’t change frequently and it’s ok to send the same response for particular request
- Cross-Origin resource sharing – is a standard mechanism that allows JavaScript XMLHttpRequest (XHR) calls executed in a web page to interact with resources from non-origin domains. CORS is a commonly implemented solution to the “same-origin policy” that is enforced by all browsers.
- JWT Validation – JSON web token validation
Process
- IP whitelisting – making sure the request are coming from allowed VPC or within organization
- SLA-based Rate Limiting – it will make sure that target system will not go down in case of burst request
- Client ID enforcement – authentication is need for proper use of an API, only client authorized can use the API and no one else
- Spike Control – it will protect the system against burst requests
- Tokenization – to tokenize any element which can be sensitive e.g. credit cards etc.
System
- IP whitelisting – making sure the request are coming from allowed VPC or within organization
- SLA-based Rate Limiting – it will make sure that target system will not go down in case of burst request
- Client ID enforcement – authentication is need for proper use of an API, only client authorized can use the API and no one else
- Spike Control – it will protect the system against burst requests
- Tokenization – to tokenize any element which can be sensitive e.g. credit cards etc.
Other – based on requirement and can be applied on any level
- Header removal or injection – add remove HTTP header
- Message logging – Logs custom messages between policies and flow. the payload will be consumed by the policy if it’s a non-repeatable streams
Thank you for taking out time to read the above post. Hope you found it useful. In case of any questions, feel free to comment below. Also, if you are keen on knowing about a specific topic, happy to explore your recommendations as well.
For any latest updates or posts on our website, you can follow us on LinkedIn. Look forward to connecting with you there.