API
The Gcore Customer Portal is being updated. Screenshots may not show the current version.
WAAP
WAAP
About WAAPBilling
Configure WAAP for a domainWAAP modesManage domains protected with WAAP
Protocol validationWAF and OWASP top threatsIP reputationBehavioral WAFAnti-automation and bot protectionCMS protectionCommon automated servicesAdvanced API protection
Allow and block IP addresses in firewall
Configure API access with reserved tags
Advanced rate limiting rulesAdvanced rule objects and attributesSource field objects
Create and manage custom rules
Reserved tagsPredefined tags
Create custom response pagesManage custom response pages
How does WAAP JavaScript injection work?What cookies are used by WAAP?What storage variables does WAAP use?
Enable and troubleshoot bot protectionTroubleshoot blocked usersTroubleshoot 5xx errors
API
Chosen image
Home/WAAP/WAAP policies/Advanced API protection

Advanced API protection

Our WAAP includes a pre-defined Advanced API protection policy group with multiple policies, allowing you to securely manage your API traffic and protect against unwanted or abusive usage of APIs.

This policy group is available in the Enterprise plan.

Configure policy group

Before you enable the Advanced API protection policies, you need to configure access to APIs by using reserved tags. Without this configuration, the policies will not affect your API traffic.

You can review the Advanced API protection policy group and enable or disable its policies in the Gcore Customer Portal:

1. Navigate to WAAP > Domains.

Domains page in the Customer Portal

2. Find the domain where you want to configure the policy and click the domain name to open it.

3. On the Policies page that opens, click Advanced API protection to expand the section and adjust the policies.

WAAP policies page with the highlighted advanced AIP protection policy

All advanced API protection policies are disabled by default. To enable a policy, turn on the toggle near that policy.

Auth token protection

Prevent multiple authentication attempts and block access for users who repeatedly try to use invalid tokens to access the API.

Before enabling this policy, you need to define your 0Auth token endpoints to ensure they are correctly tagged. Learn instructions on how to do this, check out the Tag generating rules guide.

Sensitive data exposure

Block API responses that contain personally identifiable information (PII) such as phone numbers, SSNs, email addresses, or credit card numbers.

You can turn off this policy for specific API endpoints by tagging them as needed. In this case, you’ll remain protected against unknown sensitive data leakage, while allowing legitimate known resources to create a response without being interrupted by the WAAP.

Invalid API traffic

Block API requests that don’t conform to a JSON structure. This policy protects your APIs by inspecting the keys and values within the JSON. If they are not properly structured, the request will be blocked.

API-level authorization

There are three levels of API endpoint authorization:

  • Admin: Users who can access any endpoint.

  • Privileged: Users who can access privileged access endpoints.

  • Non-privileged: Users who will be blocked from all access endpoints that are privileged or admin.

To ensure only admins and privileged users can access sensitive endpoints, you can create tags that will be applied when the defined header, token, or other identifier is present. You can then create WAAP rules to control API access based on these tags.

Non-baselined API requests

Enable a positive security policy that blocks requests to endpoints that aren’t part of the API baseline—a defined version of your API where all protected endpoints are listed.

Was this article helpful?

Edit on GitHub