ESA monitors your managed APIs to help you understand their performance and security status. The feature also offers rate limiting suggestions to protect your APIs from excessive traffic, enhancing overall security.
Adding APIs
You can add APIs to ESA in three ways: manually, by importing from API discovery, or by uploading an API schema file.
Manually add an API
Use this method for APIs that the discovery feature may have missed, such as those that are infrequently accessed or lack session identifiers.
In the ESA console, choose Websites. In the Website column, click the target site.
In the left navigation pane, choose .
On the API Security page, select the API Management tab and click Add.
On the Add API page, select the Add Manually tab and configure the following API parameters:
Method: The request method for the API. Options: GET, POST, PUT, HEAD, OPTIONS, DELETE, PATCH, CONNECT, and TRACE.
Path: The path of the API corresponding to the Hostname. It must start with a forward slash (
/). For example,/api/demo.Hostname: The hostname of the API. For example,
api.example.com.
Click + Add if you want to add more APIs. When you are finished, click Add.
NoteYou can add up to 20 APIs at once.
Import from API Discovery
Use this method to add APIs that ESA has already discovered by scanning your website traffic.
In the ESA console, choose Websites. In the Website column, click the target site.
In the left navigation pane, choose .
On the API Security page, select the API Management tab and click Add.
Select the Add from API Discovery tab.Select the checkboxes for the APIs that you want to manage, and then click Add.
Upload an API schema
If you have an API definition file (like an OpenAPI file), upload it to add all your APIs at once.
In the ESA console, choose Websites. In the Website column, click the target site.
In the left navigation pane, choose .
On the API Security page, select the API Management tab and click Add.
Select the Upload Schema tab and upload your schema file. ESA automatically discovers the APIs defined in the file. Review the matched APIs. Configure a default action for any requests that do not conform to your schema. We recommend starting with Monitor. Then, click Add.
Get API rate limiting suggestions
ESA can analyze traffic patterns to suggest optimal rate limits for your APIs. This helps protect them from DDoS attacks and resource exhaustion.
To enable this feature, you must first configure a session identifier for the target API. This allows ESA to track requests on a per-user or per-session basis.
A session identifier can be a cookie or a specific header that uniquely identifies a client session. For more information, see Configure a session identifier.
In the ESA console, choose Websites. In the Website column, click the target site.
In the left navigation pane, choose .
On the API Security page, select the API Management tab. In the Suggested Rate column for the API, click Set Session Identifier.
Select the appropriate Session Identifier and click OK.
After you confirm, ESA begins analyzing 24 hours of traffic data for that API. Once the analysis is complete, rate limiting suggestions will appear in the Suggested Rate column. You can then use these suggestions to create a rate limiting rule.