Protecting APIs with Peakhour Security¶
This guide shows you how to implement comprehensive API security using Peakhour's advanced features including WAF rules, rate limiting, schema validation, and endpoint discovery to protect your API infrastructure.
Before you begin: Understand WAF concepts and API security fundamentals.
API Security Overview¶
Modern API security requires multiple layers of protection. Peakhour provides comprehensive API security through:
- Endpoint Discovery: Automatic detection and cataloging of API endpoints
- Schema Validation: Ensure requests match expected API schemas
- Rate Limiting: Protect against abuse and DDoS attacks
- WAF Protection: Block injection attacks and malicious payloads
- Access Control: Authenticate and authorize API consumers
Enable API Discovery¶
Access API Discovery Settings¶
- Log into Peakhour Dashboard
- Select Your Domain from the domain list
- Navigate to Security → API Discovery
- Click Enable API Discovery for your domain
Configure Discovery Parameters¶
Basic Discovery Settings:
- Auto-Discovery: Enable automatic endpoint detection
- Learning Period: Set initial observation period (7-30 days recommended)
- Traffic Threshold: Minimum requests needed to catalog an endpoint
- Content-Type Detection: Automatically identify API vs web traffic
Advanced Options:
- Parameter Learning: Extract and catalog API parameters
- Schema Generation: Build OpenAPI specifications from traffic
- Version Detection: Identify different API versions
- Response Code Analysis: Track success/error patterns
Review Discovered Endpoints¶
After the learning period, review discovered API endpoints:
- Navigate to API Discovery → Endpoints
-
Review Endpoint List:
-
Examine Endpoint Details:
-
Request Parameters: Query, path, and body parameters
- Response Codes: HTTP status codes observed
- Traffic Volume: Request frequency and patterns
- Security Events: Any attacks or anomalies detected
Create API-Specific Security Rules¶
Protect API Authentication Endpoints¶
Scenario: Secure login and token endpoints from brute force attacks
- Navigate to Rules → Firewall
- Create New Rule:
Block SQL Injection in API Parameters¶
Scenario: Protect API endpoints from SQL injection attacks
Name: API SQL Injection Protection
Expression: starts_with(http.request.uri.path, "/api/") and
(any(http.request.uri.args.values[*] matches ".*(?i)(union|select|insert|drop|delete|exec|script).*") or
any(http.request.body.form.values[*] matches ".*(?i)(union|select|insert|drop|delete|exec|script).*"))
Action: deny
Description: Block SQL injection attempts in API requests
Implement API Rate Limiting¶
Create Tiered Rate Limits¶
Free Tier API Limiting:
Name: Free Tier API Limits
Expression: starts_with(http.request.uri.path, "/api/") and
not (http.request.headers["x-api-tier"] eq "premium")
Action: rate_limit
Rate: 100 requests per hour per IP
Burst: 10 requests
Premium Tier API Limiting:
Name: Premium Tier API Limits
Expression: starts_with(http.request.uri.path, "/api/") and
http.request.headers["x-api-tier"] eq "premium"
Action: rate_limit
Rate: 1000 requests per hour per API key
Burst: 50 requests
Endpoint-Specific Rate Limits¶
High-Cost Operations:
Name: Expensive API Operations
Expression: http.request.uri.path in {"/api/v1/reports/generate",
"/api/v1/export/data",
"/api/v1/ai/process"}
Action: rate_limit
Rate: 5 requests per minute per API key
Description: Limit resource-intensive operations
Search and Query Endpoints:
Name: API Search Rate Limiting
Expression: starts_with(http.request.uri.path, "/api/v1/search") or
contains(http.request.uri.path, "/query")
Action: rate_limit
Rate: 60 requests per minute per IP
Burst: 10 requests
API Authentication and Authorization¶
API Key Validation Rules¶
Require API Keys for Protected Endpoints:
Name: API Key Required
Expression: starts_with(http.request.uri.path, "/api/v1/") and
not starts_with(http.request.uri.path, "/api/v1/public/") and
len(http.request.headers["x-api-key"]) == 0
Action: deny
Response Code: 401
Custom Response: {"error": "API key required", "code": "MISSING_API_KEY"}
Bearer Token Protection¶
Advanced API Protection¶
GraphQL Query Complexity Protection¶
Block Introspection in Production:
Name: Block GraphQL Introspection
Expression: http.request.uri.path eq "/graphql" and
contains(lower(http.request.body.json.query), "__schema")
Action: deny
Description: Prevent GraphQL schema introspection
API Version and Deprecation Management¶
Redirect Deprecated API Versions:
Name: Deprecated API Version Redirect
Expression: starts_with(http.request.uri.path, "/api/v1/") and
http.request.uri.path in $deprecated_endpoints
Action: redirect
Status Code: 301
Location: Rewrite path to /api/v2/
API Monitoring and Analytics¶
Set Up API Performance Monitoring¶
- Navigate to Analytics → API Performance
-
Configure Monitoring:
-
Response Time Tracking: Monitor API latency
- Error Rate Monitoring: Track 4xx and 5xx responses
- Throughput Analysis: Requests per second by endpoint
- User Behavior: API usage patterns by consumer
Security Event Monitoring¶
Monitor for API Attacks:
- Injection Attempts: SQL, NoSQL, command injection
- Authentication Attacks: Brute force, credential stuffing
- Rate Limit Violations: Abuse detection
- Data Exfiltration: Unusual download patterns
Set Up Alerts:
Alert Conditions:
- Error rate > 5% for any endpoint
- Authentication failures > 50 per minute
- Rate limit violations > 100 per hour
- New endpoints discovered without approval
API Documentation and Schema Management¶
Generate OpenAPI Documentation¶
- Navigate to API Discovery → Schema Export
- Generate OpenAPI Spec:
- Version: Choose OpenAPI 3.0 or 3.1
- Scope: Select endpoints to include
- Detail Level: Include parameters, responses, examples
-
Security Schemes: Document authentication methods
-
Review Generated Schema:
Schema Validation Rules¶
API Security Best Practices¶
Content Security Policies¶
API Content-Type Enforcement:
Name: API Content-Type Validation
Expression: starts_with(http.request.uri.path, "/api/") and
http.request.method in {"POST", "PUT", "PATCH"} and
http.content_type not in {"application/json", "application/xml"}
Action: deny
Response Code: 415
Description: Enforce supported content types
Cross-Origin Resource Sharing (CORS)¶
Configure CORS for API Endpoints:
Name: API CORS Configuration
Expression: starts_with(http.request.uri.path, "/api/") and
http.request.method eq "OPTIONS"
Action: allow
Response Headers:
Access-Control-Allow-Origin: https://app.yourdomain.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization, X-API-Key
Security Headers for APIs¶
Add Security Headers to API Responses:
Name: API Security Headers
Expression: starts_with(http.request.uri.path, "/api/")
Action: allow
Response Headers:
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: "1; mode=block"
Strict-Transport-Security: max-age=31536000; includeSubDomains
Troubleshooting API Security¶
Common Issues¶
High False Positive Rates:
- Review and tune rule sensitivity
- Add legitimate traffic to allowlists
- Implement graduated response (log → challenge → block)
- Monitor API consumer feedback
Performance Impact:
- Optimize rule evaluation order
- Use caching for schema validation
- Implement rule bypass for trusted sources
- Monitor API response times
Schema Drift:
- Set up automated schema updates
- Version control API schemas
- Implement backward compatibility checks
- Alert on schema changes
Monitoring and Optimization¶
Regular Review Tasks:
- Weekly API security rule effectiveness review
- Monthly false positive analysis
- Quarterly API consumer behavior analysis
- Semi-annual security architecture review
Performance Optimization:
- Profile rule execution times
- Optimize complex regular expressions
- Cache frequently accessed schemas
- Use edge computing for validation
This comprehensive API security implementation provides robust protection while maintaining performance and usability for legitimate API consumers.