API Firewall: Fast and light-weight API proxy firewall
Open Source API Firewall
API Firewall is a high-performance proxy with API request and response validation based on OpenAPI/Swagger schema. It is designed to protect REST API endpoints in cloud-native environments. It provides API hardening with the use of a positive security model allowing calls that match a predefined API specification for requests and responses while rejecting everything else.
The key features of API Firewall are:
- Secure REST and GraphQL API endpoints by blocking malicious requests
- Stop API data breaches by blocking malformed API responses
- Discover Shadow API endpoints
- Validate JWT access tokens for OAuth 2.0 protocol-based authentication
- Denylist compromised API tokens, keys, and Cookies
- AllowIPList – Restrict access to endpoints by defining a list of allowed IP addresses
- Wide Range Attacks Protection: The API Firewall supports ModSecurity Rules and OWASP ModSecurity Core Rule Set
Use cases
Running in blocking mode
- Block malicious requests that do not match the OpenAPI 3.0 specification
- Block malformed API responses to stop data breaches and sensitive information exposure
Running in monitoring mode
- Discover Shadow APIs and undocumented API endpoints
- Log malformed requests and responses that do not match the OpenAPI 3.0 specification
API schema validation and positive security model
When starting API Firewall, you should provide the OpenAPI 3.0 specification of the application to be protected with it. The started API Firewall will operate as a reverse proxy and validate whether requests and responses match the schema defined in the specification.
The traffic that does not match the schema will be logged using the STDOUT and STDERR Docker services or blocked (depending on the configured API Firewall operation mode). When operating in the logging mode, it also logs so-called shadow API endpoints, those that are not covered in API specification but respond to requests (except for endpoints returning the code 404).
OpenAPI 3.0 specification is supported and should be provided as a YAML or JSON file (.yaml, .yml, .json file extensions).
By allowing you to set the traffic requirements with the OpenAPI 3.0 specification, it relies on a positive security model.
Technical data
API Firewall works as a reverse proxy with a built-in OpenAPI 3.0 request and response validator. It’s written in Golang and using fasthttp proxy. The project is optimized for extreme performance and near-zero added latency.
