Rapid business iterations often introduce core pain points such as unclear API assets, unknown attack surfaces, and decentralized security policy management. The API Security feature of Edge Security Acceleration (ESA) is designed to address these issues. It helps you build a unified API security barrier at the edge layer. This feature provides automatic discovery, continuous monitoring, and security protection for your business APIs by analyzing access requests that flow through points of presence (POPs) and using machine learning models.
Contact your account manager to enable the API security feature.
Function Introduction
Feature | Function Overview |
To prevent threats from unknown or deprecated APIs, such as data breaches and service interruptions, use the API security feature of Edge Security Acceleration (ESA). This feature uses machine learning to continuously analyze your site's service traffic. It automatically discovers API endpoints to help you centrally manage APIs and identify issues such as sensitive data leakage and API abuse. | |
ESA continuously monitors managed APIs and provides performance and security insights. | |
After you upload an API schema, such as an OpenAPI specification, ESA automatically matches it to your managed APIs. ESA then validates incoming requests against the schema and applies the configured action to any non-compliant request to protect your business APIs. | |
You can create an API token compliance validation rule by adding a custom JSON Web Token (JWT) and binding it to the API that requires verification. ESA will then perform token compliance validation on incoming requests and process them to secure your business APIs. | |
API security settings enable centralized management of Session Identifiers, Schema Validation Settings, and Token Configurations. |
Performance Impact
The API security analysis of ESA is performed passively at POPs and has a minimal performance impact. Tests show that enabling API discovery and monitoring features typically increases the average request processing latency by only a few milliseconds. When you enable active blocking features such as architecture compliance validation or token validation, the latency increase remains in the millisecond range. This results in virtually no noticeable impact on user experience.
Scenarios
Inventory API Assets, Discover Unknown Risks
During rapid business iterations, developers might release API operations without promptly notifying the security team. These APIs are not managed by the security control system, which makes them potential entry points for attacks.
Recommended Feature: API Discovery
By enabling the API discovery feature, ESA can automatically discover and inventory all API endpoints that it proxies. Security administrators can regularly review this checklist to place newly discovered APIs under management or mark them as deprecated after confirming with the development team. This process ensures complete visibility into API assets and eliminates security blind spots.
Block Non-compliant API Requests at the Edge
Attackers often probe or attack public-facing APIs by sending numerous malformed requests that do not conform to the predefined format. These requests consume valuable computing resources on the origin server and might trigger unknown vulnerabilities.
Recommended Feature: API Architecture Compliance Validation
You can upload the OpenAPI specification file for your core business APIs. ESA then uses this file to validate the structure and parameters of every incoming request at the edge nodes. Any request that does not comply with the specification is blocked or logged before it reaches your origin server. This effectively protects against attacks such as injection and fuzzing and ensures the stability and security of your core business.
Protect APIs for Mobile and Web Applications
In a decoupled frontend and backend architecture, mobile apps or single-page applications typically call APIs to communicate with backend services. A critical part of the security design is to ensure that these APIs are invoked only by legitimate clients.
Recommended Feature: API Token Compliance Validation
By configuring token compliance validation rules for your APIs, you can require all clients to include a valid JSON Web Token (JWT) with each request. ESA performs signature verification, time-to-live (TTL) checks, and other validation tasks on JWTs at POPs. Only legitimate requests that pass validation are forwarded to the origin server. This effectively prevents unauthorized access to your APIs and replay attacks.
Support for Different Plans
Feature category | Detailed feature | Free (0 CNY/month) | Basic (9.9 CNY/month) | Standard (375 CNY/month) | Advanced (3600 CNY/month) | Enterprise (contact sales for custom pricing) |
API security features | Only supports API management and architecture validation features | Only supports API management and architecture validation features | Only supports API management and architecture validation features | Supports all features | ||
Number of APIs managed | 10 | 20 | 30 | 100 | ||
Number of session identifiers | 10 | |||||
Number of architecture files | 1 | 1 | 1 | 5 | ||
Number of JWT tokens | 5 | |||||
Number of API rules | 10 |