To prevent threats from unknown or deprecated APIs, such as data breaches and service interruptions, use the API security feature of Edge Security Acceleration (ESA). This feature uses machine learning to continuously analyze your site's service traffic. It automatically discovers API endpoints to help you centrally manage APIs and identify issues such as sensitive data leakage and API abuse.
Step 1: Configure session identifiers
You must configure a session identifier to enable user-level API behavior analysis and anomaly detection. ESA uses this identifier to identify each visitor. This is the basis for accurately detecting and protecting against user-specific attacks. You must configure a session identifier before you use the API security feature.
In the ESA console, select Websites . In the Website column, click the target site.
In the navigation pane on the left, choose .
On the API Security page, click the Settings tab. In the Session Identifier section, click Add.
Select an identifier type: Header, Cookie, or JWT claims (requires an existing or new claim), and then enter the corresponding name.
Step 2: Discover and evaluate APIs
After you configure the session identifier, ESA automatically starts to discover APIs. You can evaluate these APIs and mark them as Managed or Ignored. This ensures that your core business APIs are fully protected and that APIs that do not require protection are excluded.
Discover APIs
ESA uses machine learning and session identifiers to analyze your site's traffic and automatically discover its APIs.
To ensure that the discovery results are valid and up-to-date, this feature includes only APIs that have received valid requests in the last 30 days.
In the ESA console, select Websites . In the Website column, click the target site.
In the navigation pane on the left, choose .
On the API Security page, select the API Discovery tab. ESA displays the total number of Discovered APIs and their details.
Evaluate APIs
To help you quickly categorize APIs, ESA assigns one of the following statuses to discovered APIs:
Status | Security protection level | Recommended action |
To Be Reviewed | No active protection. API calls in this state do not trigger any API security mitigation policies. | High-risk state. Evaluate and mark the API as Managed or Ignored as soon as possible. |
Managed | Ignore. ESA will no longer perform any statistics, analysis, or protection for this API. | Recommended. All public-facing business APIs should be in this state. |
Ignored | Fully protected. Covered by the comprehensive detection and protection of API Security, including abnormal behavior analysis and attack prevention. | For APIs that are used for internal testing, are deprecated, or do not require security management. |
Evaluate the discovered APIs as follows:
In the ESA console, select Websites . In the Website column, click the target site.
In the navigation pane on the left, choose .
On the API Security page, select the API Discovery tab. In the To Be Reviewed section, click the Filter button to display all APIs that are pending evaluation.
In the list of APIs pending evaluation, mark an API as Managed or Ignored. You can also select multiple APIs and choose an action from the options below the list.
