The API security module provides two features for managing sensitive data risk in your APIs:
Compliance check monitors cross-border personal data transfers and generates statistics you can use for security assessment and regulatory filing.
Tracing and auditing lets you query sensitive data traffic from the last 30 days and trace the origin of a data leak—so you can respond quickly and reduce business impact.
Both features are available only on subscription Web Application Firewall (WAF) instances deployed in regions in the Chinese mainland that support the API security module. Both features are disabled by default.
Compliance check
The compliance check feature tracks API-based cross-border data transfers and evaluates whether the transfers meet regulatory requirements. Detection data is available from January 1, 2023 to the present.
Enable compliance check
On the API Security page, go to Policy Configurations > Applicable Object Configurations.
Find the protected object you want to manage.
Turn on the switch in the Compliance Check column.
To stop analyzing traffic for a protected object, turn off the switch.
For more information, see Policy configurations.
View compliance check results
On the API Security page, click the Compliance Check tab.
Check results are deduplicated—each unique cross-border transfer pattern is counted once, regardless of how many times it occurs. The time filters (Last 1 Month, Last 3 Months, Last 6 Months, Last 12 Months) apply to all sections except Detection Results and Detection Items, which always show data from January 1, 2023 to the present.
The tab contains the following sections:
| Section | What it shows |
|---|---|
| Detection Results | Overall assessment across personal information data types and personal sensitive data types. The result is either: no risks detected, or risks detected and a security assessment is required. Click Detection Configurations (upper-right corner) to view built-in sensitive data types or add custom types on the Custom tab. |
| Detection list | Per-item check results with Required Compliance, Detection Item, and Evaluation Result columns. |
| Outbound Transferred Data Trend | A chart showing three trend lines over the selected period: total personal information entries, entries transferred cross-border, and sensitive personal information entries transferred cross-border. |
| Top Distribution for Outbound Transferred Personal Information | The top 10 destination countries by cross-border transfer volume, plus a world map where darker shading indicates higher transfer volume. Adjust the high-low slider to highlight specific countries—rankings are unaffected by slider adjustments. Hover over the map to see entry counts per location; zoom in or out as needed. |
| Statistics on Types of Outbound Transferred Personal Information | Personal information and sensitive personal information broken down by data volume level and evaluation result. Filter by data type or sensitivity level. For assessment standards, see What are the standards for the security assessment and filing of cross-border data transfer? |
| Statistics on Domain Names in Personal Information and API Names | Cross-border transfer entry counts by site (domain name and API operation). |
Tracing and auditing
The tracing and auditing feature gives you visibility into sensitive data traffic from the last 30 days. If a data leak occurs, use it to pinpoint when the leak started and trace how the data left your systems.
Enable tracing and auditing
On the API Security page, go to Policy Configurations > Applicable Object Configurations.
Find the protected object you want to manage.
Turn on the switch in the Tracing and Auditing column.
For more information, see Policy configurations.
Query sensitive data logs
On the API Security page, click the Tracing and Auditing tab, then select Log Query.
The Log Query tab displays the following statistics, each sorted in descending order by leaked sensitive data entry count:
| Sub-section | What it shows |
|---|---|
| IP Address Statistics | IP addresses used to access sensitive data |
| Domain Name Statistics | Domain names from which sensitive data was leaked |
| Sensitive Data Type Statistics | Types of sensitive data leaked |
| API Statistics | APIs and domain names over which sensitive data was leaked |
| Details | Full log entries. Filter by domain name, API, sensitive data type, or IP address. |
For information about detectable sensitive data types, see What types of sensitive data can be detected by the API security module? For information about API sensitivity levels, see What are the sensitivity levels of the API security module?
Trace a specific data leak
Use Data Traceability to search for a specific piece of sensitive data and find where it appeared in your traffic logs.
On the Tracing and Auditing tab, click Data Traceability.
Select the sensitive data type and enter up to five sample data values. Separate multiple values with commas (,).
NoteCross-validation accuracy improves with more sample entries. You can enter up to five values.
In the results list, find the tracing result and click View Details in the Actions column to view the matching logs on the Log Query tab.