How to configure the API security module - Web Application Firewall

The API security module automatically sorts the APIs of services that are protected by Web Application Firewall (WAF) and detects API vulnerabilities, such as unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs, based on a built-in detection mechanism and custom detection policies. The module allows you to trace API exception events, check the compliance of outbound data transfer, trace sensitive data by using reports, and fix detected vulnerabilities. The module also provides data for API lifecycle management. This way, you can configure comprehensive security protection for your APIs. This topic describes how to configure the API security module.

Limits

You cannot enable this feature for protected objects that are added to WAF in hybrid cloud mode and Microservices Engine (MSE) instances or custom domain names bound to web applications in Function Compute that are added to WAF in cloud native mode.

Features

Feature	Description
Asset overview and lifecycle management	Analyzes access logs offline to automatically detect APIs and identify the business purposes of API calls based on API characteristics.
Risk detection	Detects various security risks, such as unauthorized access and sensitive data leaks, and provides risk analysis and suggestions on how to handle the security risks.
Security event detection	Monitors and analyzes API calls to detect abnormal requests and attacks at the earliest opportunity.
Compliance check	Helps identify risks that are associated with outbound data transfer operations based on the Measures for the Security Assessment of Outbound Data Transfer. The module checks the compliance requirements of the operations in the following scenarios: A critical information infrastructure operator or data processor that has processed the personal information of more than one million people provides personal information abroad. A data processor that has provided the personal information of more than 100,000 people or the sensitive personal information of more than 10,000 people since January 1 of the previous year provides personal information abroad.
Tracing and auditing	Performs source tracing by cross-referencing logs and sample sensitive data when sensitive data security events occur.
Custom API security policies	Allows you to configure custom detection policies based on your business requirements. This increases the detection accuracy and recall rate of the API security module.
Custom effective scope	Allows you to configure the API security module for a specific protected object.

For information about the capabilities of the API security module, refer to the following section that provides answers to some frequently asked questions about the API security module:

What are the purposes of API calls that are classified by the API security module?
- Logon authentication
- Authentication based on mobile phone verification codes
- Data storage
- Data query
- Data export
- Data sharing
- Data update
- Data deletion
- Data addition
- Unpublishing and deregistration
- Information sending
- Information authentication
- Email sending
- Authentication based on email verification codes
- Authentication based on account passwords
- Account registration
What are the objects for which APIs are called to provide services?
- Internal office: The API is called to provide services to internal employees.
- Third-party partners: The API is called to provide services to third-party ecosystem partners.
- Public services: The API is called to provide Internet-facing services.

What types of sensitive data can be detected by the API security module?

Sensitivity level	Sensitive data type
Non-sensitive data (N)	N/A
Top-level sensitive data (L0)	The types of top-level sensitive data are the same as the types of first-level and second-level sensitive data. If a type of first-level sensitive data appears multiple times in a response, the type of data is upgraded to top-level sensitive data. If a type of second-level sensitive data appears multiple times in a response, the type of data is upgraded to first-level sensitive data or top-level sensitive data.
First-level sensitive data (L1)	The following information is classified as first-level sensitive data: ID number, debit card number, mobile phone number, passport number, number of Exit-Entry Permit for Traveling to Hong Kong (China) and Macao (China), license plate number, military ID number, Hong Kong (China) ID number, Malaysia ID number, Singapore ID number, credit card number, Social Security number (SSN), Java Database Connectivity (JDBC) connection string, Privacy Enhanced Mail (PEM) certificate, private key in the KEY format, /etc/passwd file in Linux, and /etc/shadow file in Linux.
Second-level sensitive data (L2)	The following information is classified as second-level sensitive data: name in simplified Chinese, address (Chinese mainland), email address, mobile phone number (Chinese mainland), name in traditional Chinese, name in English, mobile phone number (USA), religion, IP address, media access control (MAC) address, IPv6 address, GPS location, International Mobile Equipment Identity (IMEI), business license number, tax registration certificate number, organization code, unified social credit code, and vehicle identification number.
Third-level sensitive data (L3)	The following information is classified as third-level sensitive data: gender, nationality, province (Chinese mainland), city (Chinese mainland), unverified ID number, Society for Worldwide Interbank Financial Telecommunication (SWIFT) code, date, and URL.

What types of API risks can be detected by the API security module?

Risk type	Description
Lack of authentication mechanisms for sensitive data APIs	No authentication mechanisms are provided to prevent unauthorized users from obtaining sensitive data.
Lack of throttling mechanisms	No throttling mechanisms are provided to limit high-frequency access. In this case, your business may be unprotected when brute-force attacks occur and attackers can use malicious crawlers.
Lack of access control mechanisms	No access control mechanisms are provided to block access requests that do not meet the daily baseline requirements, such as access requests that are sent from unexpected regions.
Suspicious exposure of internal APIs	Internal APIs are exposed over the Internet. The internal APIs include APIs that are used for internal office operations, development and testing, and operations management.
Weak passwords on internal logon APIs	Internal logon APIs use weak passwords that can be easily cracked.

What types of exception events can be detected by the API security module?

Event type	Description
Calls from unexpected regions	For example, if most calls of an API are initiated from Beijing and a call that is initiated from the United States is detected, the call from the United States is considered a call from an unexpected region.
Calls from unexpected IP addresses	For example, if most calls of an API are initiated from the IP address 192.0.XX.XX and a call that is initiated from the IP address 192.1.XX.XX is detected, the call from the IP address 192.1.XX.XX is considered a call from an unexpected IP address.
Calls from unexpected terminals	For example, if most calls of an API are initiated from browsers and a call that is initiated by using Python scripts is detected, the call that is initiated by using Python scripts is considered a call from an unexpected terminal.
Calls during unexpected time ranges	For example, if most calls of an API are initiated between 09:00 and 17:00 and a call that is initiated at 03:00 is detected, the call that is initiated at 03:00 is considered a call during an unexpected time range.
Brute-force attacks against logon APIs	Attackers crack passwords.
Dictionary attacks against logon APIs	Attackers use multiple common words and simple variations of the words to guess passwords.
Unauthorized access to sensitive data	An API is called to obtain sensitive data without authorization.
Acquisition of excessively large amounts of sensitive data	An API is called to obtain an excessively large amount of sensitive data.
Abnormal batch registration	An API is called to register a large number of accounts. This event is suspected to be spam user registration.
Suspicious exports	An API is called to download or export a large number of files.
Suspicious high-frequency access	An API is called at an excessively high frequency.
Brute-force attacks against verification codes	An API is called to initiate brute-force attacks against verification codes.
Abuse of text message APIs	An API that is used to send text messages is called at an excessively high frequency, which exhausts resources.
Abuse of email APIs	An API that is used to send emails is called at an excessively high frequency. An email bomb may exist.
Path traversal	An API is called to perform parameter traversal, and data is crawled at an excessively high frequency.
Non-compliant API calls	An invalid value is specified for a parameter in a request. For example, the value of Parameter A must be an integer but a string is specified.

What are the standards for the security assessment and filing of outbound data transfer? (Supported only in the Chinese mainland)

Type	Magnitude	Result
Providing personal information abroad	Personal information of more than 100,000 people in total since January 1 of the previous year	Application for a security assessment is required.
Providing personal information abroad	Personal information of 100 to 100,000 people since January 1 of the previous year	Filings must be applied for.
Providing personal information abroad	Personal information of less than 100 people since January 1 of the previous year	Security assessments or filings are not required.
Providing sensitive personal information abroad	Sensitive personal information of more than 10,000 people in total since January 1 of the previous year	Application for a security assessment is required.
Providing sensitive personal information abroad	Sensitive personal information of 100 to 10,000 people since January 1 of the previous year	Filings must be applied for.
Providing sensitive personal information abroad	Sensitive personal information of less than 100 people since January 1 of the previous year	Security assessments or filings are not required.

Prerequisites

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

Step 1: View basic detection data

Before you enable the API security module, you can view the overview information about security events and API assets and view security event data to obtain security information about APIs. By default, basic detection is enabled for subscription WAF instances. If you do not want to obtain basic detection data, skip this step.

Note

You cannot enable basic detection for pay-as-you-go WAF instances.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > API Security.
In the Basic Detection section, view basic detection data.
- Security Event Overview: displays the total number of API security events, and the number of high-risk, medium-risk, and low-risk API security events.
- API Asset Overview: displays the total number of APIs, the number of active APIs, and the number of deactivated APIs.
- Security Events: displays the names, API paths, domain names, attack sources, and occurrence time of security events.
If you want to view the number of APIs that transfer sensitive data or view risk details and suggestions on how to handle security events, you can enable the API security module. For more information, see Step 2: Enable the API security module.
If you do not want to view basic detection data, turn off Basic Detection.

Step 2: Enable the API security module

Important

Data computing and analysis are performed offline. The API security module does not actively detect APIs and does not affect your business.
The API security module detects responses that have specific characteristics and determines whether data leaks occurred. After you enable the API security module, WAF is authorized to analyze the responses. Enable the API security module based on your business requirements.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and the region in which the WAF instance is deployed. You can select Chinese Mainland or Outside Chinese Mainland for the region.
In the left-side navigation pane, choose Protection Configuration > Scenario-specific Protection > API Security.
Enable the API Security module.
- Apply for a free trial of the API security module
  Note
  - Each Alibaba Cloud account can apply for the free trial only once.
  - The free trial is valid for seven days. The security analysis results that are generated during the trial period are available only during the trial period. If you want to retain the security analysis results, enable the API security module before the trial period ends.
  On the API Security page, click Try Now. On the Try Now page, enter the application information and click Submit.
  After you submit your trial application, Alibaba Cloud engineers will contact you based on the contact information that you submit to confirm information that is related to your application. After your trial application is approved, the API security module is automatically enabled for your WAF instance.
- Enable the API security module
  1. On the API Security page, click Enable Now.
  2. On the Enable Now page, set the API Security parameter to Enable, click Buy Now, and then complete the payment.

Step 3: View API security data

View overview data

On the Overview tab of the API Security page, view the security analysis results. image..png

Section	Description	Operation
API Security Events (Figure 1)	Displays the total number of security events, including High-risk Events, Medium-risk Events, and Low-risk Events security events. The daily change in the total number of security events is also displayed to the right of the total number of security events.	N/A
API Risk Items (Figure 2)	Displays the total number of API risk items, including High-risk Items, Medium-risk Items, and Low-risk Items items. The daily change in the total number of API risk items is also displayed to the right of the total number of API risk items.	N/A
API Asset Overview (Figure 3)	Displays information about API assets based on statistics, including the following items: The Total API Assets, the New Events Today, and the Trend in Number of APIs in Last 7 Days The Active APIs, the New Events Today, and the Trend in Number of APIs in Last 7 Days The total number of Deactivated API, New API, APIs that are called by bots, and APIs that are called for cross-border sensitive data APIs that are called to transfer sensitive data	N/A
API Asset List (Figure 4)	Displays the details of all APIs that are detected by WAF. The API assets list contains the following information: API name, domain name, request method, number of calls in the previous 30 days, sensitivity level of detected sensitive data, type of detected sensitive data, object for which the API is called to provide services, and purpose of the API call. For information about sensitivity levels and types of sensitive data, see What types of sensitive data can be detected by the API security module? Note If you configured a sensitive data type policy and the policy is matched, the types are displayed in the Sensitive Data Type column. For information about the purposes of API calls, see What are the purposes of API calls that are classified by the API security module? For information about the objects for which APIs are called to provide services, see What are the objects for which APIs are called to provide services?	Specify the items that you want to view in the API Assets section In the upper-right corner of the API Assets section, click the icon to specify the items that you want to view. Search for APIs To search for APIs, you can use the following methods: Basic search In the upper part of the API Assets section, click the icon and select API Operation or Domain Name from the API drop-down list. Then, enter the corresponding information in the search box. Advanced search Click Advanced Search and specify search conditions such as time range, Sensitivity Level, Sensitive Data Type, Status, and Track. Click the icon to the right of Request Method, Service Object, or Purpose to filter APIs. Click the icon to the right of Calls Within Last 30 Days, Bot Requests, Cross-border Requests, or Risk Items/Events to sort APIs. Manage APIs To manage APIs, you can use the following methods: Track APIs Find the API that you want to track and click the icon in the Follow column. Enter remarks for APIs Find the API for which you want to enter remarks and click the icon in the Remarks column. Then, click the icon. View API risk and security event details Find the API whose risk and security event details you want to view and click the number in the Risk Items/Events column to view the risk or security event details. For more information, see View API risk details. View API details Click the name of the API whose details you want to view. On the API Details page, you can view the following details: Basic information In the Basic Information section, you can view the name, domain name, request method, sensitive data type, service object, purpose, earliest detection time, time when the most recent call is sent, and remarks of the API. You can modify the remarks in the Basic Information section. Sample requests On the Sample Request tab, you can view sample requests, request parameter types, and sample sensitive information. Click Browser to send a GET request in a browser. Click Command Line to convert the sample request into a command line. Click Copy to access the command line. Click Copy Code to copy the sample request. Risks and events On the Risks and Events tab, click Risk Detection or Security Events. Find the risk or event that you want to manage and click View Details in the Actions column. On the page that appears, handle the risk or event. Protection suggestions On the Protection Suggestions tab, view the baseline graph of API calls and protection suggestions. You can configure protection policies based on the provided suggestions. Traffic analytics On the Traffic Analytics tab, you can view the following information: The total number of API calls in the previous 30 days, the number of API calls by bots, and the number of cross-border requests The total traffic, bot traffic, cross-border traffic, trend in the number of API calls in the previous 30 days, and top 20 source IP addresses Referer statistics, client type statistics, and location statistics Export API data Only Alibaba Cloud accounts support this feature. In the upper-right corner of the API Assets section, click the icon to create an export task. In the upper-right corner of the API Security page, click Export Record. On the Export Record page, find the file that you want to download and click Download in the Actions column. Note If you specify search conditions before you export API data, only the queried data is included in the exported file. If you do not specify search conditions before you export API data, all data is included in the exported file. You can download the exported file in the WAF console within three days after the file is generated. We recommend that you download the exported file at the earliest opportunity. The downloaded file is saved in your default download location.

View risk detection data

On the Risk Detection tab of the API Security page, view API risk detection data. image..png

Section	Description	Operation
API Risk Overview (Figure 1)	Displays the Total Risk Items, including High-risk Items, Medium-risk Items, and Low-risk Items items. The daily change in the total number of risk items is also displayed to the right of the total number of risk items.	Click View to the right of the number of High-risk Items, Medium-risk Items, or Low-risk Items items to view the risk details.
Trend of API Risks (Figure 2)	Displays the trend in the number of High, Medium, and Low items in the previous 30 days in a trend chart.	Click High, Medium, or Low below the trend chart to view specific data.
API Risk Types (Figure 3)	Displays statistics about the types of API risks in a pie chart. For more information, see What types of API risks can be detected by the API security module?	Click a type of API risk to the right of a pie chart to view specific data.
API Risk Details (Figure 4)	Displays the details of all API risks that are detected by WAF. The API risk list contains the following information: risk item ID, risk type, source type, API, domain name, purpose, status, and number of security events. For information about API risk types, see What types of API risks can be detected by the API security module? For information about the purposes of API calls, see What are the purposes of API calls that are classified by the API security module?	Specify the items that you want to view in the API Risk Details section Click the icon to select the items that you want to view. Search for API risks To search for API risks, you can use the following methods: Basic search In the upper part of the API Risk Details section, click the icon and select API Operation, Domain Name, or Risk Item ID from the Risk Item ID drop-down list. Then, enter the corresponding information in the search box.Domain NameRisk Item ID Advanced search Click Advanced Search and specify search conditions such as time range, Risk Type, Risk Level, and Status. Click the icon to the right of Risk Type or Purpose to filter API risks. Click the icon to the right of Risk Level, First Detected At, or Security Events to sort API risks. Manage API risks You can perform the following operations to manage API risks: Change the status of an API risk Find the ID of the risk whose status you want to change and click the icon in the Status column. Then, select a state and click OK. View the details of APIs that are used Click the source API of a risk. On the API Details page, view the API details. For more information, see View API details. View API risk details Find the ID of the risk whose details you want to view and click View Details in the Actions column. On the page that appears, you can view the following details: Basic information In the Basic Information section, you can view the API, risk item ID, earliest time when the risk is detected, time when the most recent call is sent, risk description, detection logic, suggestions, domain name, purpose, and status. You can change the status of a risk in the Basic Information section. If the status of a risk is Confirmed, False Positive, or Ignore, you can enter remarks. If the status of a risk is Ignore, you must specify a time range during which the risk is ignored. Risk verification On the Risk Verification tab, you can perform the following operations: View the sample request. Click Browser to send a GET request in a browser. Click Command Line to convert the sample request into a command line. Click Copy to access the command line. Click Copy Code to copy the sample request. Operation records On the Operation Records tab, view the operation records of the risks. Export API risk data The method to export API risk data is similar to the method to export API data. For more information, see Export API data.

View security event data

On the Security Events tab of the API Security page, view the security event analysis results. image..png

Section	Description	Operation
Overview of API Security Events (Figure 1)	Displays the total number of API security events, including High-risk Events, Medium-risk Events, and Low-risk Events security events. The daily change in the total number of API security events is also displayed to the right of the total number of API security events.	Click View to the right of the number of High-risk Events, Medium-risk Events, or Low-risk Events security events to view the event details.
Trend of API Security Events (Figure 2)	Displays the trend in the number of high-risk, medium-risk, and low-risk security events in the previous 30 days in a trend chart.	Click High, Medium, or Low below the trend chart to view specific data.
Types of API Security Events (Figure 3)	Displays statistics about the types of API security events in a pie chart. For more information, see What types of exception events can be detected by the API security module?	Click a type of API security event to the right of a pie chart to view specific data.
Details of API Security Events (Figure 4)	Displays the details of all API security events that are detected by WAF. The API security event list contains the following information: event ID, event type, source type, API, domain name, purpose of the API call, attack source, attack status, and associated risk. For information about security event types, see What types of exception events can be detected by the API security module? For information about the purposes of API calls, see What are the purposes of API calls that are classified by the API security module?	Specify the items that you want to view in the Details of API Security Events section Click the icon to select the items that you want to view in the API Assets section. Search for API security events To search for API security events, you can use the following methods: Advanced search Click Advanced Search and specify search conditions such as time range, Event Type, Event Level, Status, and Attack Source. Basic search In the upper part of the Details of API Security Events section, click the icon and select API Operation, Domain Name, or Event ID. Then, enter the corresponding information in the search box. Click the icon to the right of Risk Type or Purpose to filter API security events. Click the icon to the right of Risk Level, First Detected At, Attack Event, or Event Time to sort API security events. Manage API security events To manage API security events, you can use the following methods: Change the status of an API security event Find the ID of the security event whose status you want to change and click the icon in the Status column. Select a state and click OK. View APIs that are used Click the source API of the security event. On the API Details page, view the API details. For more information, see View API details. View the details of an API security event Find the security event whose details you want to view and click View Details in the Actions column. On the Event Details page, view the details of the event. Basic information View the API, event ID, domain name, purpose, and status. Change the status of a security event. If the status of a security event is Confirmed, False Positive, or Ignore, you can enter remarks. Event details On the Event Details tab, you can view the attack source, attack start time, attack end time, number of attacks, event description, request data, response data, and handling suggestions. Click Log Details to view the log details of an event. Operation records The operation records of the API security events are displayed on the Operation Records tab. Export API security event data The method to export API security event data is similar to the method to export API data. For more information, see Export API data.

Step 4: Check the compliance of outbound data transfer and trace sensitive data

If your business requires providing information abroad, you must apply to the national cyberspace administration for the security assessment of the outbound data transfer through the local provincial cyberspace administration.Outside Chinese Mainland You can use the compliance check and tracing and auditing features of the API security module. The features are supported only in the Chinese mainland.

View compliance check data

On the Compliance Check tab of the API Security page, you can query compliance check data of specific protected objects in a specific period of time.

Specify the time range to query.
By default, compliance check data that is generated from January 1 of the previous year to the current day is displayed. You can also click Change Detection Configuration, configure the Evaluation Period parameter, and then click Save Configurations.
Note
After you view compliance check data that is generated in the specified period of time and refresh the page, the time range to query is automatically changed to the default time range to query.
Specify protected objects for which you want to enable compliance check
By default, compliance check is enabled for all protected objects. If you want to exclude specific protected objects from traffic analysis, you can disable compliance check for the protected objects. For more information, see Specify protected objects.

The following table describes the details of compliance check data.

Section	Description
Detection Results	Displays the types of personal information and sensitive personal information that are detected by the compliance check feature and the detection results. Valid values of detection results: No risks in outbound data transfer exist. Risks in outbound data transfer exist and filings are required Risks in outbound data transfer exist and application for a security assessment is required
Detection Items	Displays the number of personal information entries that are transferred abroad, number of natural persons associated with the personal information, and evaluation results.
Outbound Transferred Data Trend	Displays the amount of sensitive personal information that is transferred abroad, total amount of personal information, and trend in the amount of personal information that is transferred abroad in a specific period of time in a chart.
Flow Distribution of Outbound Transferred Data	Displays the cross-border flow of data on a map of the world. A darker color indicates a larger amount of data. If you move the pointer over the map, you can view the regions to which the data is transferred and the amounts of personal information and sensitive personal information transferred abroad. You can zoom in or zoom out the map.
Statistics on Types of Outbound Transferred Personal Information	Displays different types of personal information and sensitive personal information that are transferred abroad since January 1 of the previous year and the evaluation results in a list. For information about the standards for the security assessment and filing of outbound data transfer, see What are the standards for the security assessment and filing of outbound data transfer?
Statistics on Domain Names in Personal Information and API Names	Displays the domain names and APIs on which personal information and sensitive personal information are detected in a list.

Trace sensitive data

On the Tracing and Auditing tab of the API Security page, view tracing and auditing data of sensitive data.

Important

By default, the tracing and auditing feature is disabled. To enable the feature, click Applicable Object Configurations on the Policy Configurations tab and turn on Tracing and Auditing. For more information, see Specify protected objects.

Feature

Description

Log Query

Displays the IP addresses and APIs that are used to obtain sensitive data, domain names whose sensitive data is leaked, and details of the leaked data.

IP Address Statistics: displays the IP addresses that are used to obtain sensitive data. The IP addresses are arranged in descending order based on the number of leaked sensitive data entries.
Domain Name Statistics: displays the domain names whose sensitive data is leaked. The domain names are arranged in descending order based on the number of leaked sensitive data entries.
Sensitive Data Type Statistics: displays the types of leaked sensitive data. The sensitive data types are arranged in descending order based on the number of leaked sensitive data entries.
Sensitive API Name: displays the APIs on which sensitive data is leaked and the domain names whose sensitive data is leaked. The APIs and domain names are arranged in descending order based on the number of leaked sensitive data entries.
Details: displays the detailed logs of the sensitive data leaks.
You can specify the domain name, API, sensitive data type, and IP address conditions to search for specific logs.

Data Traceability

Enter sample sensitive data and obtain the tracing result.

On the Policy Configurations tab, click Applicable Object Configurations and turn on Tracing and Auditing for the protected objects whose data you want to trace.
Select the type of sensitive data that you want to trace and enter sample sensitive data.
Note
The accuracy of the tracing results after cross-validation increases with the amount of sample sensitive data you entered. You can enter up to five sample data entries. Separate multiple sample data entries with commas (,).
Find the tracing result that you want to view and click View Details in the Actions column. On the Log Query tab, view tracing information.

Step 5: Configure API security policies

You can configure detection policies for APIs based on your business requirements. You can configure authentication credential policies, sensitive data type policies, attack detection model policies, business purpose policies, and API lifecycle for APIs based on your business requirements. This helps improve the detection accuracy and recall rate of the API security module.

Configure an authentication credential policy

After you create an authentication credential detection policy, the built-in model detects specific request parameters to check whether requests contain authentication credentials. This helps improve the detection accuracy for unauthorized requests.

On the API Security page, click the Policy Configurations tab. Then, click Authentication Credential.

In the Authentication Credential section, click Create Policy. Configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Field Name	The name of the parameter that you want the policy to detect. For example, if the request body is `xxx=123&yyy=456`, the parameter names are `xxx` and `yyy`.
Position	The type of parameter that you want the policy to detect. Valid values: GET Parameter Name POST Parameter Name wafnew.apisec.policy.token.location.cookie Header
Status	The status of the policy. By default, the policy is enabled.

Configure a sensitive data type policy

The API security module provides the following two sensitive data type policies:

Built-in policies
WAF provides built-in detection logic for common sensitive data types such as ID card numbers, bank card numbers, names, addresses, and mobile phone numbers. You can enable or disable a built-in policy based on your business requirements. You cannot modify or delete built-in policies.

Custom policies

If the built-in policies cannot meet your business requirements, you can configure custom sensitive data types.

On the API Security page, click the Policy Configurations tab. Then, click Sensitive Data Type.

In the Sensitive Data Type section, click Create Policy. Configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Package Name	The name of the policy. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Type	The detection mode of the custom policy. Basic: You can perform simple configurations in this mode. If you select Basic, you must configure the Characters and Length parameters. Characters: the characters that you want the policy to detect. Valid values: Numeric, Uppercase Letters, and Lowercase Letters. You can select multiple values. Length: the character length. Valid values: 6 to 64. The start and end values of this parameter must be integers. Expert: supports the use of regular expressions. If you select Expert, you must enter a regular expression. To prevent misdetection, make sure that the matched characters of the regular expression are at least 6 characters in length.
Sensitivity Level	The sensitivity level of the detected sensitive data. Valid values: High Sensitivity, Moderate Sensitivity, and Low Sensitivity.
Status	The status of the policy. By default, the policy is enabled.

Configure an attack detection model policy

To improve the detection recall rate of exception events, you can create a custom detection model policy.

On the API Security page, click the Policy Configurations tab. Then, click Attack Detection Model.

In the Attack Detection Model section, click Create Policy. Configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Rule Name	The name of the policy. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
Matching Condition	Specify the characteristics of requests that match the rule. Each match condition consists of the Match Field, Logical Operator, and Match Content parameters. For information about match fields and logical operators, see the following table. Click Add Condition to add a match condition. You can add up to five match conditions to a rule. If you add multiple match conditions, the rule is matched only when all match conditions are met.
Statistical Interval	The statistical interval for attack detection. Default value: 15. Unit: minutes.
Calls	The maximum number of API calls.
Statistical Object	The data deduplication mode. Valid values: Disable Statistics: Deduplication is not performed on matched requests. In this case, alerts are triggered for all requests that meet the match conditions. Specified Parameters: Deduplication is performed only on specified parameters in matched requests. In this case, alerts are triggered when the number of different values of the specified parameters in the matched requests exceeds the upper limit after deduplication. If you select this value, you must configure the following parameters: Parameter Position: the type of request parameter. Valid values: GET Parameter and POST Parameter. Parameter Name: the name of the parameter. Threshold: the maximum number of different values of the specified parameter. All Parameters: Deduplication is performed on all parameters of matched requests. In this case, alerts are triggered when the number of different values of a parameter in matched requests exceeds the upper limit after deduplication. If you select this value, you must configure the following parameters: Excluded Parameter Name: the parameters on which you do not want to perform value deduplication. Separate multiple parameters with commas (,). Configure the parameters that are required by common requests, such as the timestamp and PageNumber parameters. Threshold: the maximum number of different values of a specific parameter. Configuration example When the request body of a logon API is `username=admin&pass=****`: To detect brute-force attacks, select Specified Parameters and configure the following parameters: Parameter Position: Select POST Parameter from the drop-down list. Parameter Name: Enter pass. Threshold: Enter 30. The preceding configurations specify that an alert is triggered when the number of API calls exceeds the upper limit and the number of different values of the pass POST parameter exceeds 30. To detect dictionary attacks, select All Parameters and configure the following parameters: Excluded Parameter Name: Leave this parameter empty. Threshold: Enter 30. The preceding configurations specify that an alert is triggered when the number of API calls exceeds the upper limit and the number of different values of the username or pass** parameter exceeds 30.
Event Level	The level of the security events that you want to detect. Valid values: High Risk, Medium, and Low.
Status	The status of the policy. By default, the policy is enabled.

Supported match fields

Field	Logical operator	Description
URL	Equals One of Multiple Values and Does Not Equal Any Value Contains One of Multiple Values and Does Not Contain Any Value Length Equal To, Length Greater Than, and Length Less Than	The URI of the request. The URI indicates the requested resource. The match content must start with a forward slash `(/)` and cannot contain a domain name. Example: `/login.php`.
IP	Belongs To and Does Not Belong To	The source IP address of the request. You can specify the IP address based on the following descriptions: You can enter an IPv4 address, such as `1.XX.XX.1`, or an IPv6 address, such as `2001:db8:ffff:ffff:ffff:ffff:ffff:ffff`. You can enter a CIDR block, such as `1.XX.XX.1/16`. You must press the Enter key each time you enter an IP address. You can enter up to 100 IP addresses. Note You can enter up to 100 IP addresses or CIDR blocks for a protection rule. For example, two match conditions that use IP as the match field are specified for a protection rule. You can enter up to 100 IP addresses or CIDR blocks in the match content of the match conditions. Multiple IP addresses or CIDR blocks must be separated with commas (,).
User-Agent	Contains One of Multiple Values and Does Not Contain Any Value	The browser information about the client that sends the request. The information includes the browser, rendering engine, and version.
Request Method	Equals One of Multiple Values and Does Not Equal Any Value	The request method. Valid values: GET, POST, DELETE, PUT, OPTIONS, CONNECT, HEAD, TRACE, and PATCH. You can specify multiple request methods.
Request Length	Equals, Value Greater Than, and Value Less Than	The number of bytes that are included in the request. Valid values: 0 to 8192.
Response Length	Equals, Value Greater Than, and Value Less Than	The number of bytes that is allowed in the response. Valid values: 0 to 8192.
GET Parameter	Length Equal To, Length Greater Than, and Length Less Than Exists, Does Not Exist Contains One of Multiple Values and Does Not Contain Any Value	The parameter of the GET request. If you select this match field, you must specify the parameter name.
POST Parameter		The parameter of the POST request. If you select this match field, you must specify the parameter name.
Cookie Parameter		The parameter in the cookie that is included in the request. If you select this match field, you must specify the parameter name.
Authentication	Equals	Specifies whether the user has the permissions to access the API.
Service object	Equals One of Multiple Values and Does Not Equal Any Value	The object for which the API is called to provide services. You can specify multiple objects.
Purpose		The purpose of the API call. You can specify multiple purposes.
Response Status Code		The HTTP status code of the API. Press the Enter key each time you enter a status code. You can enter up to 50 status codes.
Sensitive Data Type		The types of sensitive data for which the API is called. You can select multiple types of sensitive data.
Sensitivity Level		The sensitivity level of the sensitive data for which the API is called. You can select multiple sensitivity levels.

Configure a business purpose policy

The API security module provides the following two types of business purpose policies:

Built-in policies
Multiple business purposes are configured in the built-in policies, such as data updates, data sharing, text message sending, and information sending. You can enable or disable a built-in policy based on your business requirements. You cannot modify or delete built-in policies.

Custom policies

If the built-in policies cannot meet your business requirements, you can configure custom business purpose policies.

On the API Security page, click the Policy Configurations tab. Then, click Business Purpose.

In the Business Purpose section, click Create Policy. Configure the parameters and click OK. The following table describes the parameters.

Parameter	Description
Name	The name of the policy. The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
URL Characteristics	The keywords of the characteristics of the URLs that are used in the business scenarios for which you want to create a business purpose policy. Note If you specify multiple keywords, the policy is matched when one of the keywords is matched and the note of the corresponding API is updated.
Parameter	The keywords of the parameters that are used in the business scenarios for which you want to create a business purpose policy.
Status	The status of the policy. By default, the policy is enabled.

Configure an API lifecycle management policy

You can specify the number of daily API calls and the number of consecutive days during which the API is not called to determine whether an API is a deactivated API.

On the API Security page, click the Policy Configurations tab. Then, click Lifecycle Management.
In the Lifecycle Management section, click Create Policy. Configure the parameters and click OK.
- Click Built-in Model.
  If you select Built-in Model, APIs that are not called in the previous 30 days or APIs for which the number of initiated calls decreased are determined to be deactivated APIs.
- Click Custom and configure the number of daily calls and the number of consecutive days during which the API is not called.
  If you select Custom, you can specify the number of daily API calls and the number of consecutive days during which the API is not called to determine whether an API is a deactivated API.

Specify protected objects

The following switches are provided for you to enable or disable the built-in detection mechanism, custom detection policies, compliance check, and tracing and auditing.

Switch: You can turn on or turn off Switch to enable or disable the built-in detection mechanism and custom detection policies.
Compliance Check: You can turn on or turn off Compliance Check to enable or disable the compliance check feature. You can turn on Compliance Check only after you turn on Switch.
Tracing and Auditing: You can turn on or turn off Tracing and Auditing to enable or disable the tracing and auditing feature. You can turn on Tracing and Auditing only after you turn on Switch.

The billing method of your WAF instance determines whether the switches are turned on or turned off by default.

Subscription billing method: By default, Switch is turned on and Compliance Check and Tracing and Auditing are turned off.
Pay-as-you-go billing method: By default, Switch is turned off.

To turn on the preceding switches, click Applicable Object Configurations on the Policy Configurations tab.

Step 6: View the updated API security data

After you complete Step 5: Configure API security policies, you can view API security data on the Overview, Risk Detection, and Security Events tabs of the API Security page. For more information, see Step 3: View API security data.

Related operations

You can configure monitoring and alerting for API security events in the CloudMonitor console. This way, you can receive alert notifications when high-risk events are detected and obtain security information about your API assets at the earliest opportunity. For more information, see Configure CloudMonitor notifications.