API Protection

API Security Overview

APIs are the backbone of modern applications, but their rapid evolution—new endpoints, changing parameters, and frequent updates—makes them a prime target for attacks. Without proper controls, these changes can expose security gaps and sensitive data.

CloudGuard WAF secures APIs by:

  • Allowing only traffic that matches approved API definitions.

  • Validating schemas to block unreviewed or deprecated endpoints.

  • Enforcing authentication to ensure only legitimate clients can access APIs (coming soon).

  • Detecting and controlling sensitive data exposure.

CloudGuard WAF delivers this through the following core capabilities:

Together, these ensure APIs stay secure while adapting to constant change.

Terminology

Endpoints

The Endpoint in REST APIs is the URI without the domain. i.e. "/api/my-assets" in "https://myapp.com/api/my-assets".

However, REST-based endpoint can contain "path parameters" which essentially combine different endpoints to a single one with the same meaning. For example, joining /api/my-assets/asset-id-4af4, and /api/my-assets/asset-id-8d2a into a single /api/my-assets/{asset-id} that represents all the potential APIs that have this format, have different asset IDs, yet serve the same purpose in terms of security configuration, and request body structure.

In GraphQL the endpoint is the function being called.

Methods

In REST APIs the method is the HTTP protocol method. i.e. GET, POST, PUT, etc.

When using GraphQL there are 2 main methods - query (indicating a read-only endpoint) and mutation.

APIs

An API is the combination of a method and an endpoint. i.e. POST /api/my-assets/{asset-id}.

An API can have additional query parameters with certain value formats, unique headers with certain value formats, and body with a specific structure - usually a JSON format.

The API's additional/optional query parameters, and the request body's structure, is learned as well the more usage of the same API is seen, and its accepted structure is also built as part of the schema.

The API Discovery engine looks at the requests alone for the purpose of building schemas. It will not learn the response body and will not create a schema that validates the traffic from the server, as the aim is to focus on traffic from the clients, and protecting the server.

The responses are inspected for their status code which discerns accepted APIs by the web server, from APIs it does not support, and for existence of sensitive data in them.

Sensitive Data

Sensitive Data types whose usage is detected by API discovery include:

  • UUIDs.

  • Emails.

  • Credit Card Numbers.

  • IP and MAC addresses.

  • Social Security Numbers.

  • Phone Numbers.

  • IBAN.

  • SSH Keys.

  • Certificates.

  • Vehicle Identification Numbers.

API DiscoveryTrack API Discovery LearningEnforce API SchemaAuthentication Enforcement

Last updated

Was this helpful?