- Overview
- Resources
- API summary
- List configurations
- List configuration versions
- Clone a configuration version
- Get configuration version details
- Export configuration version
- List selectable hostnames
- List selected hostnames
- Modify selected hostnames
- List security policies
- List match targets
- Create a match target
- Modify match target order
- Get a match target
- Modify a match target
- Remove a match target
- List custom rules
- Create a custom rule
- Get a custom rule
- Modify a custom rule
- Remove a custom rule
- List custom rule actions
- Modify a custom rule action
- Activate a configuration version
- Get an activation request status
- Get activation status
- Data
- Errors
Application Security API v1
Manage the Web Application Firewall (WAF) configuration for your Akamai security products.
Learn more:
Download this API’s RAML and JSON schema descriptors.
Overview
The Application Security API allows you to access and modify your Security Configurations for Kona Site Defender and Client Reputation. You can create, update, activate, and export versions of a security configuration. You can retrieve selectable hostnames and add them to the selected list to protect your website or API content. You also can add, modify, or delete custom rules and assign policy actions.
A Web Application Firewall (WAF) is an application security measure deployed between a web client and a web server that performs a deep inspection of every request and response for all common forms of web traffic. Identifying and isolating or blocking abnormal malicious traffic, a WAF effectively prevents threats from reaching the server.
All Custom Rule APIs and resources are in Beta.
Who should use this API
This API is for security operations teams and developers who implement Akamai security products for their organization. You need to have a working knowledge of your application and how the configurable objects interact. If you are not familiar with these topics, see Resources for more information.
Getting started
Before using the Application Security API for the first time:
Review Get Started with APIs for details on how to set up client tokens to access any Akamai API. These tokens appear as custom hostnames that look like this:
https://akzz-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX.luna.akamaiapis.net.To enable this API, choose the API service named Application Security, and set the access level to READ-WRITE.
Example 1: add a hostname to a new configuration version
The following example presents the order of operations to modify a configuration, provide additional hostnames, and activate the new configuration version:
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Run Get configuration version details to retrieve a Configuration object.
You cannot edit the configuration version if it is ACTIVE on staging or production servers. To create a new version, craft a ConfigurationClone object and make a POST request to
/appsec/v1/configs/{configId}/versions.Run List selectable hostnames to retrieve a list of Set objects containing hostname information.
List selected hostnames to retrieve a SelectedHostnames object.
Modify the SelectedHostnames object.
Make a PUT request to
/appsec/v1/configs/{configId}/versions/{versionNumber}/selected-hostnames.Run List security policies and select a
policyId.Run Create a match target to create a new MatchTarget object. Note the
targetIdin the response.Modify the MatchTarget object.
Make a PUT request to
/appsec/v1/configs/{configId}/versions/{versionNumber}/match-targets/{targetId}.Run List match targets.
Craft a MatchTargetOrder object using the
targetIds.Make a PUT request to
/appsec/v1/configs/{configId}/versions/{versionNumber}/match-targets/sequence.Create an Activation object.
Make a POST request to
/appsec/v1/activationsto activate the configuration version.Run Get activation status to check the activation status. The response is an Activation object.
Example 2: add a custom rule to an existing configuration version
The following example presents the order of operations to modify a configuration, add a new custom rule, and activate the new configuration version:
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Run Get configuration version details to retrieve a Configuration object.
You cannot edit the configuration version if it is ACTIVE on staging or production servers. To create a new version, craft a ConfigurationClone object and make a POST request to
/appsec/v1/configs/{configId}/versions.Run Create a custom rule to create a new CustomRule object. Note the
ruleIdin the response.Run Get a custom rule.
Modify the CustomRule object.
Make a PUT request to
/appsec/v1/configs/{configId}/custom-rules/{ruleId}.Run List security policies and select a
policyId.Make a PUT request with a single-member object containing the specified
actionto/appsec/v1/configs/{configId}/versions/1/security-policies/{policyId}/custom-rules/{ruleId}.Create an Activation object.
Make a POST request to
/appsec/v1/activationsto activate the configuration version.Run Get activation status to check the activation status. The response is an Activation object.
Example 3: export an existing configuration version
The following example presents the order of operations to retrieve and export an existing configuration version:
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Make a GET request to
/appsec/v1/export/configs/{configId}/versions/{versionNumber}.
Resources
This section provides details on each API operation.
The following list provides a road map of all the conceptual objects you deal with when interacting with the Application Security API, and provides pointers to where you can learn more.
Configuration: A security configuration specifies hostnames, security policies, custom rules, and match targets. You activate a security configuration to Akamai’s edge servers, where it works with your delivery configuration to evaluate requests, and determines how to handle them.
Security configurations are versioned. This is a handy way to update a configuration, even if it’s active on staging or production. Clone a version and edit it. When it’s ready, activate and test the new version. As you refine and test your updates, you have an audit trail of changes and can rollback to prior versions. You can also export the details of a configuration version.
Hostnames: Selecting a hostname lets you specify the web content you want to protect in your configuration. You can retrieve a list of selectable hostnames and add new entries to the selected hostnames object in your configuration.
You can associate a security configuration with many hostnames, but a single hostname is covered by only one active security configuration at a time.
Security Policy: Security policies control how to respond to different requests and define the response action that occurs. If necessary, you can create more than one security policy. For example, you may need to apply one set of protections to website pages and a different set to APIs.
Custom Rule: Custom rules can handle scenarios not covered by the included standard rules and quickly patch new website vulnerabilities. You can trigger an alert or denial based on various components of the request, such as method, path, file extension, headers, cookies,query string, and POST body variables. Custom rules are configuration-level resources, which means they’re available to all policies in a security configuration, but they don’t version in lock-step. When you change a custom rule, it affects all inactive versions of your security configuration, but not activated ones. To roll back, you must choose a previously activated version.
Match Target: Defines which security policy applies to which API, hostname, or path. You can use a match target to focus a policy on a specific set of requests, such as those for
.asp,.jsp, or.phpfile types. When your security configuration assesses a request, it checks to see if the request meets match target criteria. If it does, protections apply. If not, content delivery starts.
API summary
Download the RAML descriptors for this API.
| Operation | Method | Endpoint |
|---|---|---|
| Security Configurations | ||
| List configurations | GET | /appsec/ |
| Security Configuration Versions | ||
| List configuration versions | GET | /appsec/ |
| Clone a configuration version | POST | /appsec/ |
| Security Configuration Version | ||
| Get configuration version details | GET | /appsec/ |
| Security Configuration Version Export | ||
| Export configuration version | GET | /appsec/ |
| Hostnames | ||
| List selectable hostnames | GET | /appsec/ |
| List selected hostnames | GET | /appsec/ |
| Modify selected hostnames | PUT | /appsec/ |
| Security Policies | ||
| List security policies | GET | /appsec/ |
| Match Targets | ||
| List match targets | GET | /appsec/ |
| Create a match target | POST | /appsec/ |
| Modify match target order | PUT | /appsec/ |
| Get a match target | GET | /appsec/ |
| Modify a match target | PUT | /appsec/ |
| Remove a match target | DELETE | /appsec/ |
| Custom Rules Builder | ||
| List custom rules | GET | /appsec/ |
| Create a custom rule | POST | /appsec/ |
| Get a custom rule | GET | /appsec/ |
| Modify a custom rule | PUT | /appsec/ |
| Remove a custom rule | DELETE | /appsec/ |
| Custom Rules Actions | ||
| List custom rule actions | GET | /appsec/ |
| Modify a custom rule action | PUT | /appsec/ |
| Security Config Activation | ||
| Activate a configuration version | POST | /appsec/ |
| Get an activation request status | GET | /appsec/ |
| Get activation status | GET | /appsec/ |
List configurations
Retrieves a list of available security configurations.
GET /appsec/
Status 200
application/json
Response Body:
{
"configurations": [
{
"id": 22330,
"latestVersion": 5,
"name": "CaroTestTransition2Versioning",
"description": "(user notes)"
},
{
"id": 7180,
"latestVersion": 9,
"name": "Corporate Sites WAF",
"productionHostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"productionVersion": 1,
"stagingVersion": 2
}
]
}
List configuration versions
Retrieves a list of versions available for the specified security configuration.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 8277 |
A unique identifier for each configuration. |
| Optional query parameters | |||
detail |
Boolean | false |
When true, results contain detailed information on items. When false, results contain summary information on items. |
page |
Integer | 1 |
The index of the result page. If the value is -1, then pagination is ignored. The default value is 1. |
pageSize |
Integer | 10 |
The number of items in the result page. The default value is 25. |
Status 200
application/json
Response Body:
{
"totalSize": 3,
"pageSize": 3,
"page": 1,
"configId": 8277,
"configName": "TestConfig",
"stagingExpediteRequestId": 5861,
"productionExpediteRequestId": 6951,
"productionActiveVersion": 9,
"stagingActiveVersion": 8,
"lastCreatedVersion": 9,
"versionList": [
{
"version": 9,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:58:52Z",
"createdBy": "user1",
"basedOn": 8,
"production": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
},
"staging": {
"status": "Inactive"
}
},
{
"version": 8,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:41:52Z",
"createdBy": "user2",
"basedOn": 7,
"production": {
"status": "Inactive"
},
"staging": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
}
},
{
"version": 7,
"versionNotes": "Membership Benefits",
"createDate": "2013-08-07T17:41:52Z",
"createdBy": "user3",
"production": {
"status": "Inactive"
},
"staging": {
"status": "Inactive"
}
}
]
}
Run List configurations and select a
configId.Optionally, set the
pageSizeandpagequery parameters to control the size of each page, and navigate to specific pages of results.Optionally, enable the
detailquery parameter for detailed information on the items returned.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions{?page, pageSize, detail}
Clone a configuration version
Creates a new version of the specified security configuration.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Request Body:
{
"createFromVersion": 1,
"ruleUpdate": false
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 8277 |
A unique identifier for each configuration. |
Status 200
application/json
Response Body:
{
"configId": 8277,
"configName": "TestConfig",
"version": 2,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:58:52Z",
"createdBy": "user1",
"basedOn": 1,
"production": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
},
"staging": {
"status": "Inactive"
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Create a ConfigurationClone object.
Make a POST request to
/appsec/.v1/ configs/ {configId}/ versions
The response reflects the new Configuration object.
Get configuration version details
Retrieves details for a configuration version.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 8277 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Response Body:
{
"configId": 8277,
"configName": "TestConfig",
"version": 2,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:58:52Z",
"createdBy": "user1",
"basedOn": 1,
"production": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
},
"staging": {
"status": "Inactive"
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}
The response is a Configuration object.
Export configuration version
Retrieves all the details for a configuration version.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 8277 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Response Body:
{
"configId": 8277,
"configName": "New Security Config",
"version": 2,
"basedOn": 1,
"staging": {
"status": "Inactive"
},
"production": {
"status": "Inactive"
},
"createDate": "2017-09-08T22:24:41Z",
"createdBy": "disharma",
"selectableHosts": [
"www.example1.com",
"www.example2.com"
],
"selectedHosts": [
"www.example3.com",
"www.example4.com"
],
"errorHosts": [
{
"hostname": "bankoflaverty.com",
"reasonCode": 400,
"reason": "property is not active in either production or staging"
},
{
"hostname": "culledentropy.com",
"reasonCode": 403,
"reason": "You don't have access to this property"
}
],
"ratePolicies": [
{
"allTraffic": false,
"averageThreshold": 3,
"burstThreshold": 2,
"clientIdentifier": "",
"createDate": "2017-09-08T22:24:42Z",
"id": 672601,
"matchType": "path",
"name": "dsafsfdsf",
"pathMatchType": "RequestDisabled",
"pathUriPositiveMatch": true,
"queryParameters": [
{
"name": "dasdasdasd*",
"positiveMatch": true,
"valueInRange": false,
"values": [
"dasdasdas8*&^"
]
}
],
"requestType": "ClientRequest",
"sameActionOnIpv6": true,
"type": "BOTMAN",
"updateDate": "2017-09-08T22:24:42Z",
"useXForwardForHeaders": false,
"used": false
},
{
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "NetworkListCondition",
"values": [
"25620_REPUTATIONWHITELIST174",
"11212_BYPASSURR"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET",
"HTTP_DELETE"
]
},
{
"positiveMatch": true,
"type": "UserAgentCondition",
"values": [
"MOZILLA",
"Googlebot"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET",
"POST",
"HEAD"
]
},
{
"positiveMatch": true,
"type": "ResponseStatusCondition",
"values": [
"400",
"401",
"402",
"403",
"404",
"405",
"406",
"407",
"408",
"409",
"410",
"500",
"501",
"502",
"503",
"504"
]
}
],
"allTraffic": false,
"averageThreshold": 1000,
"burstThreshold": 10,
"clientIdentifier": "ip",
"createDate": "2017-09-08T22:24:42Z",
"description": "These Shared Resources will be available to all policies within the Security Configuration",
"id": 672607,
"matchType": "path",
"name": "These Shared Resources will be available to all policies within the Security Configuration",
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"queryParameters": [
{
"name": "param1",
"positiveMatch": false,
"valueInRange": true,
"values": [
"value1"
]
}
],
"requestType": "ClientRequest",
"sameActionOnIpv6": true,
"type": "WAF",
"updateDate": "2017-09-08T22:24:42Z",
"useXForwardForHeaders": false,
"used": true
}
],
"reputationProfiles": [
{
"context": "SCANTL",
"contextReadable": "Scanning Tools",
"enabled": true,
"id": 210588,
"name": "Scanning Tools (Low Threat)",
"threshold": 5
},
{
"condition": {
"atomicConditions": [
{
"className": "RequestHeaderCondition",
"index": 1,
"name": [
"test*"
],
"nameWildcard": false,
"positiveMatch": true,
"value": [
"test*"
],
"valueCase": false,
"valueWildcard": false
},
{
"className": "RequestHeaderCondition",
"index": 2,
"name": [
"Head",
"Header"
],
"nameWildcard": true,
"positiveMatch": true,
"value": [
"Header value"
],
"valueCase": false,
"valueWildcard": true
},
{
"checkIps": "connecting",
"className": "NetworkListCondition",
"index": 3,
"positiveMatch": true,
"value": [
"14121_IMAGEMANAGERSERVERS"
]
},
{
"className": "RequestCookieCondition",
"index": 4,
"name": "cookieName",
"nameCase": false,
"nameWildcard": true,
"positiveMatch": true,
"value": [
"cookieValue"
],
"valueCase": false,
"valueWildcard": true
},
{
"checkIps": "connecting",
"className": "AsNumberCondition",
"index": 5,
"positiveMatch": true,
"value": [
"5"
]
}
],
"canDelete": false,
"configVersionId": 152889,
"id": 88112456,
"name": "Cloned of 87956156 for version 152889",
"positiveMatch": true,
"uuid": "SEC_COND_88112456",
"version": 1504909482545
},
"context": "WEBATCK",
"contextReadable": "Web Attackers",
"enabled": false,
"id": 210578,
"name": "Web Attackers (Low Threat)",
"threshold": 5
}
],
"customRules": [
{
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET"
]
}
],
"configId": 17027,
"id": 667828,
"name": "UXR-715 RE2 Second Test with Flags",
"ruleActivated": false,
"structured": true,
"tag": [
"tagfor",
"17.2"
],
"version": 1
},
{
"conditions": [
{
"type": "extensionMatch",
"positiveMatch": true,
"value": [
"fdf"
],
"valueCase": true,
"valueWildcard": false
}
],
"configId": 17027,
"description": "Test CR",
"id": 600001,
"name": "Test CR",
"ruleActivated": false,
"structured": true,
"tag": [
"Test",
"Tag"
],
"version": 1
},
{
"conditions": [
{
"type": "cookieMatch",
"name": "kids",
"nameCase": true,
"nameWildcard": false,
"positiveMatch": true,
"value": [
"dsds",
"dasdqw",
"dsa",
"dqwd",
"csqw"
],
"valueCase": true,
"valueWildcard": true
}
],
"configId": 17027,
"description": "Test CR",
"id": 600006,
"name": "Test CR",
"ruleActivated": false,
"structured": true,
"tag": [
"k"
],
"version": 1
},
{
"conditions": [
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/login"
]
}
],
"configId": 17027,
"id": 606713,
"name": "Test",
"ruleActivated": false,
"structured": true,
"tag": [
"adsa"
],
"version": 1
},
{
"conditions": [
{
"type": "argsPostMatch",
"name": "fvfv",
"positiveMatch": true,
"value": [
"fgbr"
]
},
{
"type": "requestHeaderMatch",
"name": [
"test"
],
"nameWildcard": true,
"positiveMatch": true,
"value": [
"test1"
],
"valueCase": false,
"valueWildcard": true
}
],
"configId": 17027,
"description": "Test CR",
"id": 690265,
"name": "Test CR2",
"ruleActivated": false,
"structured": true,
"tag": [
"ee"
],
"version": 1
},
{
"configId": 17027,
"id": 667825,
"inspectRequest": false,
"inspectResponse": false,
"metadata": "<match:variable name=\"MY_SAMPLE_THREAT_DETECTED\" result=\"true\" value=\"execute rule\">\n<match:regex impl=\"re2\" regex=\"^\\d+$\" result=\"false\" select=\"REQUEST_HEADERS:Content-Length\" strict-err-check-re2=\"on\" transform=\"urlDecodeUni\">\n<security:firewall.action>\n<msg>UXR-715 CRB Metadata testing</msg>\n<tag>CUSTOM/TEST</tag>\n<id>667825</id>\n<deny>%(WAF_CUSTOM_R667825_DENY)</deny>\n<data>threat indicated from data %(MY_SAMPLE_THREAT_DETECTED)</data>\n<http-status>403</http-status>\n</security:firewall.action>\n</match:regex>\n</match:variable>\n",
"name": "UXR-715 RE27890",
"ruleActivated": false,
"structured": false,
"version": 1
}
],
"rulesets": [
{
"id": 41,
"rulesetVersionId": 327550,
"type": "Kona",
"releaseDate": "2017-04-21T16:00:38Z",
"attackGroups": [
{
"group": "DDOS",
"groupName": "Anomaly Score Exceeded for DDoS",
"threshold": 5
},
{
"group": "IN",
"groupName": "Anomaly Score Exceeded for Inbound",
"threshold": 30
},
{
"group": "SQL",
"groupName": "Anomaly Score Exceeded for SQL Injection",
"threshold": 19
},
{
"group": "TROJAN",
"groupName": "Anomaly Score Exceeded for Trojan",
"threshold": 4
},
{
"group": "XSS",
"groupName": "Anomaly Score Exceeded for Cross-Site Scripting",
"threshold": 9
}
],
"rules": [
{
"id": 699989,
"inspectRequestBody": false,
"inspectResponseBody": false,
"ruleVersion": 1,
"score": 5,
"tag": "<AKAMAI/PRAGMA_DEFLECTION>",
"title": "Akamai-X debug Pragma header detected and removed"
},
{
"id": 699990,
"inspectRequestBody": false,
"inspectResponseBody": false,
"ruleVersion": 1,
"score": 5,
"tag": "<AKAMAI/EDGESCAPE_ANONYMOUS_PROXY_v1>",
"title": "Detected request from anonymous proxy"
},
{
"id": 981252,
"inspectRequestBody": true,
"inspectResponseBody": false,
"attackGroups": [
"SQL",
"IN"
],
"ruleVersion": 4,
"score": 5,
"tag": "<OWASP_CRS/WEB_ATTACK/SQL_INJECTION>",
"title": "MySQL Charset Switch and MSSQL DoS Attempts"
},
{
"id": 3000060,
"inspectRequestBody": true,
"inspectResponseBody": false,
"attackGroups": [
"IN",
"DDOS"
],
"ruleVersion": 2,
"score": 1000,
"tag": "<AKAMAI/AUTOMATION/MALICIOUS>",
"title": "Mirai / Kaiten DDoS Detection - HTTP Attacks"
},
{
"id": 3000061,
"inspectRequestBody": true,
"inspectResponseBody": false,
"attackGroups": [
"XSS",
"IN"
],
"ruleVersion": 1,
"score": 5,
"tag": "<AKAMAI/WEB_ATTACK/XSS>",
"title": "Referer Header From OpenBugBounty Website - Potential XSS"
}
]
}
],
"matchTargets": {
"websiteTargets": [
{
"type": "website",
"bypassNetworkLists": [
{
"id": "11212_BYPASSURR",
"name": "bypass-URR"
}
],
"defaultFile": "NO_MATCH",
"effectiveSecurityControls": {
"applyApplicationLayerControls": true,
"applyApiConstraints": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"fileExtensions": [
"jpg"
],
"filePaths": [
"/path"
],
"id": 1362593,
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"securityPolicy": {
"policyId": "qik3_38800"
},
"sequence": 1
},
{
"type": "website",
"defaultFile": "NO_MATCH",
"effectiveSecurityControls": {
"applyApplicationLayerControls": true,
"applyApiConstraints": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
},
"filePaths": [
"/images",
"/image1",
"/path"
],
"hostnames": [
"b2c.div1.akamaniac.com"
],
"id": 1362594,
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"securityPolicy": {
"policyId": "qik2_38799"
},
"sequence": 2
}
],
"apiTargets": [
{
"type": "api",
"apis": [
{
"id": 1041,
"name": "hmm test"
}
],
"bypassNetworkLists": [
{
"id": "1024_AMAZONELASTICCOMPUTECLOU",
"name": "Ec2 Akamai Network List"
},
{
"id": "1283_MICROSOFTWINDOWSAZUREDAT",
"name": "Azure IP range cloud services"
}
],
"effectiveSecurityControls": {
"applyApplicationLayerControls": false,
"applyApiConstraints": false,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"id": 1362597,
"securityPolicy": {
"policyId": "99e_47293"
},
"sequence": 6
},
{
"type": "api",
"apis": [
{
"id": 1001,
"name": "1001"
},
{
"id": 1041,
"name": "hmm test"
}
],
"bypassNetworkLists": [
{
"id": "11212_BYPASSURR",
"name": "bypass-URR"
}
],
"effectiveSecurityControls": {
"applyApplicationLayerControls": false,
"applyApiConstraints": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": true,
"applySlowPostControls": false
},
"id": 1362598,
"securityPolicy": {
"policyId": "4444_44572"
},
"sequence": 7
}
]
},
"securityPolicies": [
{
"id": "qik2_38799",
"name": "Generated Quick Policy - 4/10/17 7:13:18 PM GMT",
"hasRatePolicyWithApiKey": false,
"ruleActions": [
{
"action": "alert",
"id": 960912,
"rulesetVersionId": 327550
},
{
"action": "alert",
"id": 960035,
"rulesetVersionId": 327550
},
{
"action": "alert",
"id": 981300,
"rulesetVersionId": 327550
},
{
"action": "deny",
"id": 3000001,
"rulesetVersionId": 327550
},
{
"action": "alert",
"conditions": [
{
"type": "hostMatch",
"hosts": [
"www.example.com",
"*.example.com"
],
"positiveMatch": true
},
{
"type": "pathMatch",
"paths": [
"/a/d",
"/test/"
],
"positiveMatch": false
},
{
"type": "uriQueryMatch",
"caseSensitive": false,
"name": "test",
"nameCase": false,
"positiveMatch": false,
"value": "value",
"wildcard": false
},
{
"type": "requestHeaderMatch",
"header": "user-agent",
"positiveMatch": false,
"value": "test-agent-*",
"valueCase": false,
"valueWildcard": true
}
],
"exception": {
"selectors": [
{
"type": "GENERIC",
"selector": "REQUEST_COOKIES"
},
{
"type": "EXACT",
"name": "cccx",
"selector": "XML_PAIRS",
"value": "vvv"
},
{
"type": "GENERIC",
"selector": "REQUEST_COOKIES"
},
{
"type": "GENERIC",
"selector": "ARGS"
}
],
"values": [
"test",
"sdfasf"
]
},
"id": 970903,
"rulesetVersionId": 327550
}
],
"attackGroupActions": [
{
"action": "deny",
"group": "SQL",
"rulesetVersionId": 327550
},
{
"action": "deny",
"group": "XSS",
"rulesetVersionId": 327550
},
{
"action": "deny",
"group": "IN",
"rulesetVersionId": 327550
}
],
"customRuleActions": [
{
"action": "deny",
"id": 628035
},
{
"action": "alert",
"id": 628037
}
],
"reputationProfileActions": [
{
"action": "alert",
"id": 281778
},
{
"action": "deny",
"id": 210588
}
],
"ratePolicyActions": [
{
"id": 0,
"ipv4Action": "alert",
"ipv6Action": "deny"
},
{
"id": 0,
"ipv4Action": "alert",
"ipv6Action": "none"
}
],
"networkLayerControls": {
"block": "blockSpecificIPGeo",
"geoControls": {
"blockedIPNetworkLists": {
"additional": [
"AF",
"AS"
],
"networkList": [
"4389_BLANKLIST"
]
}
},
"slowPost": {
"action": "alert",
"durationThreshold": {
"timeout": 5
},
"slowRateThreshold": {
"rate": 10,
"period": 60
}
},
"ipControls": {
"allowedIPNetworkLists": {
"additional": [
"2.2.2.2"
],
"networkList": [
"12801_25000",
"19440_1671"
]
},
"blockedIPNetworkLists": {
"additional": [
"1.1.1.1"
],
"networkList": [
"16656_CPISERVERS",
"18460_166RELEASETESTING"
]
}
}
}
},
{
"id": "qqqq_39297",
"name": "qqqqqq",
"hasRatePolicyWithApiKey": false
},
{
"id": "178t_48704",
"name": "Copy of Tet-a-Tet with 17.8",
"hasRatePolicyWithApiKey": false,
"reputationProfileActions": [
{
"action": "alert",
"id": 281778
},
{
"action": "alert",
"id": 281776
}
],
"networkLayerControls": {
"block": "blockSpecificIPGeo",
"ipControls": {
"blockedIPNetworkLists": {
"networkList": [
"24321_TESTNW"
]
}
}
},
"apiRequestConstraints": {
"action": "alert"
}
}
],
"siem": {
"configId": 17027,
"configVersion": 22,
"enableForAllPolicies": false,
"enableSiem": true,
"enabledBotmanSiemEvents": false,
"firewallPolicyIds": [
"qik2_38799",
"4444_44572",
"teet_39295",
"ds22_48583"
],
"siemDefinitionId": 1
},
"advancedOptions": {
"logging": {
"allowSampling": true,
"cookies": {
"type": "exclude",
"values": [
"_updated_By_SoapUI",
"w",
"NEW_VAL_ADDED_BY_SoapUI"
]
},
"customHeaders": {
"type": "only",
"values": [
"112",
"sdasd",
"ds"
]
},
"standardHeaders": {
"type": "only"
}
},
"prefetch": {
"allExtensions": false,
"enableAppLayer": true,
"enableRateControls": false,
"extensions": [
"cgi",
"jsp",
"EMPTY_STRING",
"aspx",
"php",
"py",
"asp"
]
}
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Make a GET request to
/appsec/.v1/ export/ configs/ {configId}/ versions/ {versionNumber}
The response is a Configuration object containing all configured hostnames, match targets, and custom rules.
List selectable hostnames
Retrieves a list of hostnames that a given configuration version has the ability to protect, under the current context. Hostnames may show as error hosts when they are not currently available, for example, when a contract expires.
GET /appsec/
Status 200
application/json
Response Body:
{
"configId": 123,
"configVersion": 2,
"protectARLInclusionHost": true,
"availableSet": [
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 5443,
"configNameInProduction": "WAF Security File",
"hostname": "example.com"
},
{
"arlInclusion": true,
"activeInProduction": false,
"activeInStaging": true,
"configIdInProduction": 11882,
"configNameInProduction": "A PUBLIC CONFIG",
"hostname": "www.example.com"
},
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 6018,
"configNameInProduction": "Other Security Configuration",
"hostname": "www.example-123.com"
}
],
"selectedSet": [
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 11887,
"configNameInProduction": "Rbac Test Config",
"hostname": "m.example.com"
},
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": null,
"configNameInProduction": null,
"hostname": "m.example-123.com"
}
],
"errorSet": [
{
"hostname": "*.example.net",
"reason": "property is not active in either production or staging",
"reasonCode": 400
},
{
"hostname": "test-example.net",
"reason": "You don't have access to this property",
"reasonCode": 403
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ selectable-hostnames
The response is a SelectableHostnames object.
List selected hostnames
Retrieves a list of hostnames that the configuration version selects as candidates of protected hostnames, which you can use in match targets.
GET /appsec/
Status 200
application/json
Response Body:
{
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ selected-hostnames
The response is a SelectedHostnames object.
Modify selected hostnames
Updates the list of selected hostnames for a configuration version.
PUT /appsec/
Content-Type: application/json
Request Body:
{
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
Status 200
application/json
Response Body:
{
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Run List selectable hostnames to retrieve a list of Set objects containing hostname information.
List selected hostnames to retrieve a SelectedHostnames object.
Modify the SelectedHostnames object.
Make a PUT request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ selected-hostnames
The response reflects the modified SelectedHostnames object.
List security policies
Returns a list of security policies available for the specified security configuration.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
| Optional query parameters | |||
detail |
Boolean | true |
When enabled, the response features a richer set of data than the default, which includes only the name and ID of each item. |
notMatched |
Boolean | false |
If true, returns all security policies in the configuration version which do not have a match target. If false, returns all security policies in the configuration version. |
Status 200
application/json
Response Body:
{
"configId": 1232,
"version": 8,
"policies": [
{
"policyId": "NN3_61",
"policyName": "NN FW 3",
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": true,
"applyApiConstraints": false,
"applySlowPostControls": false
},
"hasRatePolicyWithApiKey": true
},
{
"policyId": "NN_2",
"policyName": "NN FW 1",
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": false,
"applyApiConstraints": false,
"applySlowPostControls": false
},
"hasRatePolicyWithApiKey": false
},
{
"policyId": "NN-2_3",
"policyName": "NN FW 2",
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": false,
"applyApiConstraints": false,
"applySlowPostControls": false
},
"hasRatePolicyWithApiKey": true
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Optionally, enable the
notMatchedquery parameter to return all security policies in the configuration version which do not have a match targetOptionally, enable the
detailquery parameter to see detailed information on the returned items.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies{?notMatched, detail}
List match targets
Retrieves a list of match targets defined in the specified security configuration version.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 17027 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
| Optional query parameters | |||
includeChildObjectName |
Boolean | true |
Specifies if the name for network list and API endpoint objects to return in the payload. |
policyId |
String | ancv_1234 |
Specifies the security policy to filter match targets. |
Status 200
application/json
Response Body:
{
"matchTargets": {
"apiTargets": [
{
"apis": [
{
"id": 1111,
"name": "API Endpoint 1"
},
{
"id": 2222,
"name": "API Endpoint 2"
}
],
"bypassNetworkLists": [
{
"id": "522825_CCCBYPASSLIST",
"name": "Example network list 11"
},
{
"id": "1622566_XXAABYPASSL",
"name": "Example network list 12"
}
],
"configId": 17027,
"configVersion": 25,
"effectiveSecurityControls": {
"applyApiConstraints": true,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "ancv_1234"
},
"sequence": 3,
"targetId": 1222208,
"type": "api"
}
],
"websiteTargets": [
{
"bypassNetworkLists": [
{
"id": "222825_AAABYPASSLIST",
"name": "Example network list 21"
},
{
"id": "2622566_YYAABYPASSL",
"name": "Example network list 22"
}
],
"configId": 17027,
"configVersion": 25,
"defaultFile": "NO_MATCH",
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
},
"fileExtensions": [
"html"
],
"filePaths": [
"/*"
],
"securityPolicy": {
"policyId": "ancv_1234"
},
"hostnames": [],
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"sequence": 1,
"targetId": 1221059,
"type": "website"
},
{
"bypassNetworkLists": [],
"configId": 17027,
"configVersion": 25,
"defaultFile": "NO_MATCH",
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
},
"fileExtensions": [],
"filePaths": [
"/path"
],
"securityPolicy": {
"policyId": "ancv_1234"
},
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"sequence": 2,
"targetId": 1222207,
"type": "website"
}
]
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Optionally, Run List security policies and select a
policyId.Optionally, enable the
includeChildObjectNamequery parameter to return the object name in the payload.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets{?policyId, includeChildObjectName}
Create a match target
Creates a new Match Target in the specified Configuration Version.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Request Body:
{
"securityPolicy": {
"policyId": "fwsf_32432"
},
"type": "website",
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"isNegativePathMatch": false,
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"isNegativeFileExtensionMatch": true,
"defaultFile": "BASE_MATCH",
"bypassNetworkLists": [
{
"id": "888518_ACDDCKERS"
},
{
"id": "1304427_AAXXBBLIST"
}
],
"targetSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": true
}
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 17027 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 201
application/json
Response Body:
{
"targetId": 112231,
"securityPolicy": {
"policyId": "fwsf_32432"
},
"configId": 17027,
"configVersion": 25,
"type": "website",
"sequence": 1,
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"isNegativePathMatch": false,
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"isNegativeFileExtensionMatch": true,
"defaultFile": "BASE_MATCH",
"bypassNetworkLists": [
{
"id": "888518_ACDDCKERS",
"name": "Test network list 1"
},
{
"id": "1304427_AAXXBBLIST",
"name": "Test network list 2"
}
],
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Create a MatchTarget object.
Make a POST request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets
The response reflects the complete MatchTarget object.
Modify match target order
Updates the sequence of Match Targets in a configuration version. The website and api match targets’ sequence
requires updates from separate requests by passing the type attribute in the json request.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Request Body:
{
"targetSequence": [
{
"targetId": 1217289,
"sequence": 1
},
{
"targetId": 1217339,
"sequence": 2
}
],
"type": "website"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 17027 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Response Body:
{
"targetSequence": [
{
"targetId": 1217289,
"sequence": 1
},
{
"targetId": 1217339,
"sequence": 2
}
],
"type": "website"
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Run List match targets.
Craft a MatchTargetOrder object using the
targetIds.Make a PUT request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets/ sequence
The response reflects the modified MatchTargetOrder object.
Get a match target
Retrieves the specified match target.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 17027 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
| Optional query parameters | |||
includeChildObjectName |
Boolean | true |
Specify whether to return the object name in the payload. |
Status 200
application/json
Response Body:
{
"targetId": 112231,
"securityPolicy": {
"policyId": "fwsf_32432"
},
"configId": 17027,
"configVersion": 25,
"type": "website",
"sequence": 1,
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"isNegativePathMatch": false,
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"isNegativeFileExtensionMatch": true,
"defaultFile": "BASE_MATCH",
"bypassNetworkLists": [
{
"id": "888518_ACDDCKERS",
"name": "Test network list 1"
},
{
"id": "1304427_AAXXBBLIST",
"name": "Test network list 2"
}
],
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Run List match targets and select a
targetId.Optionally, enable the
includeChildObjectNamequery parameter to return the object name in the payload.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets/ {targetId}{?includeChildObjectName}
The response is a MatchTarget object.
Modify a match target
Updates details about the specified match target.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Request Body:
{
"targetId": 112231,
"type": "website",
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"securityPolicy": {
"policyId": "fwsf_32432"
},
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"isNegativePathMatch": false,
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"isNegativeFileExtensionMatch": true,
"defaultFile": "BASE_MATCH",
"bypassNetworkLists": [
{
"id": "888518_ACDDCKERS"
},
{
"id": "1304427_AAXXBBLIST"
}
],
"targetSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": true
}
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 17027 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Response Body:
{
"targetId": 112231,
"securityPolicy": {
"policyId": "fwsf_32432"
},
"configId": 17027,
"configVersion": 25,
"type": "website",
"sequence": 1,
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"isNegativePathMatch": false,
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"isNegativeFileExtensionMatch": true,
"defaultFile": "BASE_MATCH",
"bypassNetworkLists": [
{
"id": "888518_ACDDCKERS",
"name": "Test network list 1"
},
{
"id": "1304427_AAXXBBLIST",
"name": "Test network list 2"
}
],
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Run List match targets and select a
targetId.Run Get a match target.
Modify the MatchTarget object.
Make a PUT request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets/ {targetId}
The response reflects the modified MatchTarget object.
Remove a match target
Deletes the specified match target.
DELETE /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
configId |
Integer | 17027 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 204
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Run List match targets and select a
targetId.Make a DELETE request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets/ {targetId}
List custom rules
Retrieves a list of custom rules defined in a security configuration.
GET /appsec/
Status 200
application/json
Response Body:
{
"customRules": [
{
"link": "/appsec/v1/configs/99999/customRules/111111",
"name": "Example 1",
"status": "activated",
"id": 111111,
"version": 1
},
{
"link": "/appsec/v1/configs/99999/customRules/111112",
"name": "Example 2",
"status": "published",
"id": 111112,
"version": 1
},
{
"link": "/appsec/v1/configs/99999/customRules/111113",
"name": "Example 3",
"status": "unused",
"id": 111113,
"version": 2
}
]
}
Run List configurations and select a
configId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ custom-rules
The response is a CustomRule object.
Create a custom rule
Creates a new custom rule.
POST /appsec/
Content-Type: application/json
Request Body:
{
"tag": [
"test"
],
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"value": [
"Li",
"He",
"H"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "filenameMatch",
"positiveMatch": true,
"value": [
"He",
"H",
"Li"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": [
"HTTP/0.9"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"value": [
"H",
"He",
"Li"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"value": [
"O",
"N",
"C"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"value": [
"Carbon",
"C"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"value": [
"Nitrogen",
"N"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
}
],
"name": "Fat Rule",
"description": "Can I create all conditions?"
}
Status 200
application/json
Response Body:
{
"tag": [
"test"
],
"id": 661699,
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"value": [
"Li",
"He",
"H"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "filenameMatch",
"positiveMatch": true,
"value": [
"He",
"H",
"Li"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": [
"HTTP/0.9"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"value": [
"H",
"He",
"Li"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"value": [
"O",
"N",
"C"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"value": [
"Carbon",
"C"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"value": [
"Nitrogen",
"N"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
}
],
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1,
"ruleActivated": false
}
Run List configurations and select a
configId.Create a CustomRule object.
Make a POST request to
/appsec/.v1/ configs/ {configId}/ custom-rules
The response reflects the complete CustomRule object.
Get a custom rule
Returns the details of a custom rule.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
ruleId |
Integer | 661699 |
A unique identifier for each custom rule. |
Status 200
application/json
Response Body:
{
"tag": [
"test"
],
"id": 661699,
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"value": [
"Li",
"He",
"H"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "filenameMatch",
"positiveMatch": true,
"value": [
"He",
"H",
"Li"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": [
"HTTP/0.9"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"value": [
"H",
"He",
"Li"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"value": [
"O",
"N",
"C"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"value": [
"Carbon",
"C"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"value": [
"Nitrogen",
"N"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
}
],
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1,
"ruleActivated": false
}
Run List configurations and select a
configId.Run List custom rules and select a
ruleId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ custom-rules/ {ruleId}
The response is a CustomRule object.
Modify a custom rule
Updates an existing custom rule.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Request Body:
{
"tag": [
"test"
],
"id": 661699,
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"value": [
"Li",
"He",
"H"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "filenameMatch",
"positiveMatch": true,
"value": [
"He",
"H",
"Li"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": [
"HTTP/0.9"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"value": [
"H",
"He",
"Li"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"value": [
"O",
"N",
"C"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"value": [
"Carbon",
"C"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"value": [
"Nitrogen",
"N"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
}
],
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
ruleId |
Integer | 661699 |
A unique identifier for each custom rule. |
Status 200
application/json
Response Body:
{
"tag": [
"test"
],
"id": 661699,
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"value": [
"Li",
"He",
"H"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "filenameMatch",
"positiveMatch": true,
"value": [
"He",
"H",
"Li"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": [
"HTTP/0.9"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"value": [
"H",
"He",
"Li"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"value": [
"O",
"N",
"C"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"value": [
"Carbon",
"C"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"value": [
"Nitrogen",
"N"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
}
],
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1,
"ruleActivated": false
}
Run List configurations and select a
configId.Run List custom rules and select a
ruleId.Run Get a custom rule.
Modify the CustomRule object.
Make a PUT request to
/appsec/.v1/ configs/ {configId}/ custom-rules/ {ruleId}
The response reflects the modified CustomRule object.
Remove a custom rule
Deletes a custom rule as long as it is not activated.
DELETE /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
ruleId |
Integer | 661699 |
A unique identifier for each custom rule. |
Status 204
Run List configurations and select a
configId.Run List custom rules and select a
ruleId.Make a DELETE request to
/appsec/.v1/ configs/ {configId}/ custom-rules/ {ruleId}
List custom rule actions
Returns a list of all configured custom rules for the specified configuration. It
includes information for rules that are associated with this
policy, as well as the latest versions of the rules in the configuration
that are not associated with the current policy. Unassociated rules
have an action of none.
GET /appsec/
Status 200
application/json
Response Body:
{
"customRules": [
{
"action": "alert",
"link": "/appsec/v1/configs/16400/custom-rules/622918",
"name": "Custom Rule Example 1",
"id": 622918
},
{
"action": "none",
"link": "/appsec/v1/configs/16400/custom-rules/657604",
"name": "Custom Rule Example 2",
"id": 657604
},
{
"action": "deny",
"link": "/appsec/v1/configs/16400/custom-rules/615894",
"name": "Custom Rule Example 3",
"id": 615894
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Run List security policies and select a
policyId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ 1/ security-policies/ {policyId}/ custom-rules
The response is a CustomRuleActions object.
Modify a custom rule action
Updates the action of a custom rule.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Request Body:
{
"action": "alert"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
ruleId |
Integer | 661699 |
A unique identifier for each custom rule. |
Status 200
application/json
Response Body:
{
"action": "alert"
}
Run List configurations and select a
configId.Run List configuration versions and select a
verisonNumber.Run List security policies and select a
policyId.Run List custom rule actions and select a
ruleId.Make a PUT request with a single-member object containing the specified
actionto/appsec/.v1/ configs/ {configId}/ versions/ 1/ security-policies/ {policyId}/ custom-rules/ {ruleId}
The response reflects the modified single-member object.
Activate a configuration version
Activates one or more configurations globally.
POST /appsec/
Content-Type: application/json
Request Body:
{
"action": "ACTIVATE",
"network": "STAGING",
"note": "Free text notes",
"notificationEmails": [
"a@abc.com",
"b@abc.com"
],
"activationConfigs": [
{
"configId": 1,
"configVersion": 4
}
]
}
Status 200
application/json
Response Body:
{
"activationId": 1234,
"action": "ACTIVATE",
"status": "RECEIVED",
"network": "PRODUCTION",
"estimate": "PTM5",
"activationConfigs": [
{
"configId": 1,
"configName": "config 1",
"configVersion": 4,
"previousConfigVersion": 2
}
],
"createdBy": "user1",
"createDate": "2013-10-07T17:41:52+00:00",
"dispatchCount": 1
}
Status 202
application/json
Headers:
Location: /appsec/v1/activations/status/f81c92c5-b150-4c41-9b53-9cef7969150a
Response Body:
{
"statusId": "f81c92c5-b150-4c41-9b53-9cef7969150a",
"createDate": "2018-06-19T11:27:55Z",
"links": {
"check-status": {
"href": "/appsec/v1/activations/status/f81c92c5-b150-4c41-9b53-9cef7969150a"
}
}
}
Create an Activation object.
Make a POST request to
/appsec/.v1/ activations
The response reflects the complete Activation object.
Get an activation request status
Get the status of the ongoing generation of a long-running activation request. Any errors that occur during the generation of the activation will cause this API to respond with the underlying error status.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
statusId |
String | f81c92c5-b150-4c41-9b53-9cef7969150a |
UUID of this activation request status |
Status 200
application/json
Headers:
Retry-After: 300
Response Body:
{
"statusId": "f81c92c5-b150-4c41-9b53-9cef7969150a",
"createDate": "2018-06-19T11:27:55Z"
}
Status 303
application/json
Headers:
Location: /appsec/v1/activations/1234
Response Body:
{
"activationId": 1234
}
Activate a configuration version, if you have not already done so, and note the
statusIdin the response.Make a GET request to
/appsec/.v1/ activations/ status/ {statusId} The response produces an object with an HTTP status code and relevant activation request data in the header.
The optional
Retry-Afterresponse header indicates the number of seconds to wait before submitting another status request.The optional
Locationresponse header indicates the URL of the specified activation.
Get activation status
Retrieves the status of an activation.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL parameters | |||
activationId |
Number | 1234 |
A unique identifier for an activation. |
Status 200
application/json
Response Body:
{
"activationId": 1234,
"action": "ACTIVATE",
"status": "RECEIVED",
"network": "PRODUCTION",
"estimate": "PTM5",
"activationConfigs": [
{
"configId": 1,
"configName": "config 1",
"configVersion": 4,
"previousConfigVersion": 2
}
],
"createdBy": "user1",
"createDate": "2013-10-07T17:41:52+00:00",
"dispatchCount": 1
}
Run Activate a configuration version and note the
activationIdin the response object.Make a GET request to
/appsec/.v1/ activations/ {activationId}
The response is an Activation object.
Data
This section provides you with the data model for the Application Security API.
Download the JSON schemas for this API.
The data schema tables below list membership requirements as follows:
| ✓ | Member is required in requests, or always present in responses, even if its value is empty or null. |
| ○ | Member is optional, and may be omitted in some cases. |
| ✗ | Member is out of scope, and irrelevant to the specified interaction context. If you include the member in that context, it either triggers an error, or is ignored. |
Configuration
Encapsulates configuration version details.
Download schema:
wafConfigVersionDto.json
Sample full GET response:
{
"configId": 8277,
"configName": "TestConfig",
"version": 2,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:58:52Z",
"createdBy": "user1",
"basedOn": 1,
"production": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
},
"staging": {
"status": "Inactive"
}
}
Configuration members
| Member | Type | Required | Description |
|---|---|---|---|
basedOn |
Integer | ○ | Read-only. The version from which this version was cloned. |
configId |
Integer | ✓ | Read-only. A unique identifier for the security configuration. |
configName |
String | ✓ | The security configuration name. |
createDate |
String | ○ | Read-only. The date of creation. |
createdBy |
String | ○ | Read-only. The user who created the configuration version. |
production |
Configuration. |
✓ | Read-only. The activation status of the configuration version in production network. |
staging |
Configuration. |
✓ | Read-only. The activation status of the configuration version in staging network. |
version |
Integer | ✓ | The security configuration version. |
versionNotes |
String | ○ | User notes for the security configuration version. |
Configuration.production: The activation status of the configuration version in production network. |
|||
action |
Enumeration | ○ | Action taken on the Configuration Version. Either ACTIVATE or DEACTIVATE. |
status |
Enumeration | ○ | The activation status, either Active, Failed, Inactive, Deactivated, or Pending. |
time |
String | ○ | The activation time. |
Configuration.staging: The activation status of the configuration version in staging network. |
|||
action |
Enumeration | ○ | Action taken on the Configuration Version. Either ACTIVATE or DEACTIVATE. |
status |
Enumeration | ○ | The activation status, either Active, Failed, Inactive, Deactivated, or Pending. |
time |
String | ○ | ISO 8601 timestamp indicating the activation time. |
ConfigurationClone
Specifies the settings for a new clone of a security configuration.
Download schema:
configCloneCreate.json
Sample POST request:
{
"createFromVersion": 1,
"ruleUpdate": false
}
ConfigurationClone members
| Member | Type | Required | Description |
|---|---|---|---|
create |
Integer | ○ | The configuration version to clone from. |
ruleUpdate |
Boolean | ○ | Specifies whether the application rules should be migrated to the latest version. |
SelectableHostnames
Encapsulates the list of hostnames available for protection and its details.
Download schema:
hostInfoInConfiguration.json
Sample GET response:
{
"configId": 123,
"configVersion": 2,
"protectARLInclusionHost": true,
"availableSet": [
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 5443,
"configNameInProduction": "WAF Security File",
"hostname": "example.com"
},
{
"arlInclusion": true,
"activeInProduction": false,
"activeInStaging": true,
"configIdInProduction": 11882,
"configNameInProduction": "A PUBLIC CONFIG",
"hostname": "www.example.com"
},
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 6018,
"configNameInProduction": "Other Security Configuration",
"hostname": "www.example-123.com"
}
],
"selectedSet": [
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 11887,
"configNameInProduction": "Rbac Test Config",
"hostname": "m.example.com"
},
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": null,
"configNameInProduction": null,
"hostname": "m.example-123.com"
}
],
"errorSet": [
{
"hostname": "*.example.net",
"reason": "property is not active in either production or staging",
"reasonCode": 400
},
{
"hostname": "test-example.net",
"reason": "You don't have access to this property",
"reasonCode": 403
}
]
}
SelectableHostnames members
| Member | Type | Required | Description |
|---|---|---|---|
availableSet |
Set array | ○ | The available hosts set for the current user. |
configId |
Integer | ✓ | A unique identifier for the security configuration. |
configVersion |
Integer | ✓ | The version number of the security configuration. |
errorSet |
Selectable |
○ | The requested hosts are not available in this configuration version. |
protect |
Boolean | ✓ | Whether the host defined in the ARL file has legacy WAF enabled in the configuration. |
selectedSet |
Set array | ○ | The selected set of hosts in this configuration version. |
SelectableHostnames.errorSet[]: The requested hosts are not available in this configuration version. |
|||
hostname |
String | ✓ | The hostname that triggers an error. |
reason |
String | ✓ | The reason why the hosts are not protectable in this configuration version. |
reasonCode |
Integer | ✓ | The error status code for the hostname. |
Set
Details about the state of a hostname.
Download schema:
hostNameObject.json
Set members
| Member | Type | Required | Description |
|---|---|---|---|
active |
Boolean | ○ | True when the host is active in production network. |
activeInStaging |
Boolean | ○ | True when the host is active in staging network. |
arlInclusion |
Boolean | ○ | True when the host is Akamai Resource Locator (ARL) included. |
config |
Integer | ○ | The ID of the configuration protecting this property. |
config |
String | ○ | The name of the configuration protecting this property. |
hostname |
String | ✓ | The name of the host. |
SelectedHostnames
Encapsulates a list of selected hostnames for the specified configuration version.
Download schema:
hostnameList.json
Sample Get response:
{
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
SelectedHostnames members
| Member | Type | Required | Description |
|---|---|---|---|
hostnameList |
Selected |
○ | Specifies a selected hostname for a configuration version. |
SelectedHostnames.hostnameList[]: Specifies a selected hostname for a configuration version. |
|||
hostname |
String | ○ | The hostname. |
SecurityPolicy
Specifies the details of a policy.
Download schema:
securityPolicyDto.json
Sample full GET response:
{
"configId": 1232,
"version": 8,
"policies": [
{
"policyId": "NN3_61",
"policyName": "NN FW 3",
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": true,
"applyApiConstraints": false,
"applySlowPostControls": false
},
"hasRatePolicyWithApiKey": true
},
{
"policyId": "NN_2",
"policyName": "NN FW 1",
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": false,
"applyApiConstraints": false,
"applySlowPostControls": false
},
"hasRatePolicyWithApiKey": false
},
{
"policyId": "NN-2_3",
"policyName": "NN FW 2",
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": false,
"applyApiConstraints": false,
"applySlowPostControls": false
},
"hasRatePolicyWithApiKey": true
}
]
}
SecurityPolicy members
| Member | Type | Required | Description |
|---|---|---|---|
configId |
Integer | ○ | A unique identifier for the security configuration. |
has |
Boolean | ○ | Indicates whether this security policy has a rate policy which has API_KEY as client identifier. APIs are managed using the API Endpoint Definition API. |
policyId |
String | ○ | A unique identifier for the security policy. |
policyName |
String | ○ | The name of the security policy. |
policy |
Security |
○ | The status of security controls defined in the security policy. |
version |
Integer | ○ | The version number of the security configuration. |
SecurityPolicy.policySecurityControls: The status of security controls defined in the security policy. |
|||
apply |
Boolean | ○ | True when API constraints are enabled. |
apply |
Boolean | ○ | True when application layer controls are enabled. |
apply |
Boolean | ○ | True when Bot Manager controls are enabled. |
apply |
Boolean | ○ | True when network layer controls are enabled. |
apply |
Boolean | ○ | True when rate controls are enabled. |
apply |
Boolean | ○ | True when reputation controls are enabled. |
apply |
Boolean | ○ | True when slow post controls are enabled. |
MatchTarget
Encapsulates information about a match target.
Download schema:
matchTarget.json
Sample GET response:
{
"targetId": 112231,
"securityPolicy": {
"policyId": "fwsf_32432"
},
"configId": 17027,
"configVersion": 25,
"type": "website",
"sequence": 1,
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"isNegativePathMatch": false,
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"isNegativeFileExtensionMatch": true,
"defaultFile": "BASE_MATCH",
"bypassNetworkLists": [
{
"id": "888518_ACDDCKERS",
"name": "Test network list 1"
},
{
"id": "1304427_AAXXBBLIST",
"name": "Test network list 2"
}
],
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
}
}
MatchTarget members
| Member | Type | Required | Description |
|---|---|---|---|
apis |
Match |
○ | Encapsulates a list of objects containing an API endpoint ID and name. This field is applicable only for API match targets. |
bypass |
Match |
○ | A list of network list identifiers and names. |
configId |
Integer | ○ | A unique identifier for a security configuration. |
configVersion |
Integer | ○ | The version of security configuration. |
defaultFile |
Enumeration | ○ | A description of the rule to match on paths. Either NO_MATCH to not match on the default file, BASE_MATCH to match only requests for top-level hostnames ending in a trailing slash, or RECURSIVE_MATCH to match all requests for paths that end in a trailing slash. |
effective |
Match |
○ | Read-only. Defines the security controls to apply. For a security control to be effectively turned on, it has to be enabled in both the match target and the security policy. |
fileExtensions |
Array | ○ | Encapsulates a list of file extensions. |
filePaths |
Array | ○ | Encapsulates a list of file paths. |
hostnames |
Array | ○ | Encapsulates a list of hostnames to protect. |
is |
Boolean | ○ | Describes whether the match target applies when a match is found in the specified fileExtensions or when a match is not found. |
is |
Boolean | ○ | Describes whether the match target applies when a match is found in the specified paths or when a match is not found. |
securityPolicy |
Match |
✓ | The security policy associated with the match target. |
sequence |
Integer | ○ | The position in the sequence of match targets. |
targetId |
Integer | ○ | A unique identifier for the match target. |
type |
Enumeration | ✓ | Describes the type of match target, either website or api. |
validations |
Match |
○ | Read-only. Describes warnings, errors, or notices determined by a validation of this resource. |
MatchTarget.apis[]: Encapsulates a list of objects containing an API endpoint ID and name. This field is applicable only for API match targets. |
|||
id |
Integer | ✓ | A unique identifier of an API endpoint. |
name |
String | ○ | The API endpoint name. |
MatchTarget.bypassNetworkLists[]: A list of network list identifiers and names. |
|||
id |
String | ✓ | A unique identifier for a network list. |
name |
String | ○ | The name of the network list. |
MatchTarget.effectiveSecurityControls: Defines the security controls to apply. For a security control to be effectively turned on, it has to be enabled in both the match target and the security policy. |
|||
apply |
Boolean | ○ | True when API constraints are enabled. |
apply |
Boolean | ○ | True when application layer controls are enabled. |
apply |
Boolean | ○ | True when Bot Manager controls are enabled. |
apply |
Boolean | ○ | True when network layer controls are enabled. |
apply |
Boolean | ○ | True when rate controls are enabled. |
apply |
Boolean | ○ | True when reputation controls are enabled. |
apply |
Boolean | ○ | True when slow post controls are enabled. |
MatchTarget.securityPolicy: The security policy associated with the match target. |
|||
policyId |
String | ✓ | A unique identifier for security policy. |
MatchTarget.validations: Describes warnings, errors, or notices determined by a validation of this resource. |
|||
errors |
Validation array | ○ | List of errors. |
notices |
Validation array | ○ | List of notices. |
warnings |
Validation array | ○ | List of warnings. |
Validation
Encapsulates feedback on validation.
Download schema:
validation-dto.json
Validation members
| Member | Type | Required | Description |
|---|---|---|---|
detail |
String | ○ | An explanation of the error message. |
fieldName |
String | ○ | The name of the field causing the validation problem. |
jsonReference |
String | ○ | The JSON reference to the field in the resource. |
title |
String | ○ | The title for the error. |
type |
String | ○ | The URL for the error type. |
MatchTargetOrder
Encapsulates match target settings and a list of objects containing match targets with their assigned sequence number.
Download schema:
matchTargetsSequence.json
Sample GET response:
{
"targetSequence": [
{
"targetId": 1217289,
"sequence": 1
},
{
"targetId": 1217339,
"sequence": 2
}
],
"type": "website"
}
MatchTargetOrder members
| Member | Type | Required | Description |
|---|---|---|---|
targetSequence |
Match |
✓ | Contains the ID and sequence of a match target. |
type |
Enumeration | ✓ | Describes the type of match target, either WEBSITE or API. |
MatchTargetOrder.targetSequence[]: Contains the ID and sequence of a match target. |
|||
sequence |
Integer | ○ | The position in the sequence of match targets. |
targetId |
Integer | ○ | A unique identifier for the match target. |
CustomRule
Contains settings for a custom rule.
Download schema:
customRule-schema.json
Sample GET example:
{
"tag": [
"test"
],
"id": 661699,
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"value": [
"Li",
"He",
"H"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "filenameMatch",
"positiveMatch": true,
"value": [
"He",
"H",
"Li"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": [
"HTTP/0.9"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
],
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"value": [
"H",
"He",
"Li"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"value": [
"O",
"N",
"C"
],
"valueCase": true,
"valueWildcard": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"value": [
"Carbon",
"C"
],
"valueWildcard": true,
"valueCase": true
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"value": [
"Nitrogen",
"N"
],
"valueWildcard": false,
"valueCase": false
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
}
],
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1,
"ruleActivated": false
}
CustomRule members
| Member | Type | Required | Description |
|---|---|---|---|
conditions |
Custom |
○ | Specifies the conditions for the custom rule. |
description |
String | ○ | The custom rule description. |
id |
Integer | ○ | Read-only. A unique identifier for the rule. |
inspectRequest |
Boolean | ○ | Read-only. Inpsect HTTP request for unstructured custom rules. |
inspectResponse |
Boolean | ○ | Read-only. Inpsect HTTP response for unstructured custom rules. |
metadata |
String | ○ | Read-only. Metadata the user provided for unstructured custom rules. |
name |
String | ✓ | The custom rule name. |
ruleActivated |
Boolean | ○ | Read-only. Indicates whether the rule is active in a configuration. |
structured |
Boolean | ○ | Read-only. Indicates if this rule was created with the structured custom rule builder or free-form XML. |
tag |
Array | ○ | A set of user-supplied label for the custom rule. |
version |
Integer | ○ | The custom rule version. |
CustomRule.conditions[]: Specifies the conditions for the custom rule. |
|||
positiveMatch |
Boolean | ✓ | If true, the rule triggers when the condition is met. If false, the rule triggers when it is not met. |
type |
Enumeration | ✓ | The type of condition, either cookieMatch, extensionMatch, filenameMatch, hoitMatch, hostnameMatch, ipMatch, pathMatch, requestHeaderMatch, requestMethodMatch, requestProtocolVersionMatch, uriQueryMatch, headerOrderMatch, argsPostMatch, or argsPostNamesMatch. |
value |
Array, String | ✓ | The value to use in the condition. Can be a string or an array of strings, depending on type. |
CustomRuleActions
Contains settings for custom rule actions.
Download schema:
customRuleActions.json
Sample GET response:
{
"customRules": [
{
"action": "alert",
"link": "/appsec/v1/configs/16400/custom-rules/622918",
"name": "Custom Rule Example 1",
"id": 622918
},
{
"action": "none",
"link": "/appsec/v1/configs/16400/custom-rules/657604",
"name": "Custom Rule Example 2",
"id": 657604
},
{
"action": "deny",
"link": "/appsec/v1/configs/16400/custom-rules/615894",
"name": "Custom Rule Example 3",
"id": 615894
}
]
}
CustomRuleActions members
| Member | Type | Required | Description |
|---|---|---|---|
action |
String | ○ | The action to assign to this custom rule, either alert, deny, or none. If the action is none, the rule is inactive in the policy. |
link |
String | ○ | Read-only. A link to more information about the rule associated with this policy or latest version of rule if action is set to none (unassociated). |
name |
String | ○ | Read-only. The name of the custom rule. |
status |
String | ○ | Read-only. The activation status of the custom rule action. |
version |
Integer | ○ | Read-only. Version of the rule. |
Activation
Encapsulates the activation status and settings for a configuration version.
Download schema:
activations-request.json, activation-status.json
Sample POST request:
{
"action": "ACTIVATE",
"network": "STAGING",
"note": "Free text notes",
"notificationEmails": [
"a@abc.com",
"b@abc.com"
],
"activationConfigs": [
{
"configId": 1,
"configVersion": 4
}
]
}
Sample GET response:
{
"activationId": 1234,
"action": "ACTIVATE",
"status": "RECEIVED",
"network": "PRODUCTION",
"estimate": "PTM5",
"activationConfigs": [
{
"configId": 1,
"configName": "config 1",
"configVersion": 4,
"previousConfigVersion": 2
}
],
"createdBy": "user1",
"createDate": "2013-10-07T17:41:52+00:00",
"dispatchCount": 1
}
Activation members
| Member | Type | POST | GET | Description | ||||
|---|---|---|---|---|---|---|---|---|
action |
Enumeration | ✓ | ✓ | The action to take, either ACTIVATE or DEACTIVATE. |
||||
activation |
Activation. |
✓ | ✓ | Specifies the security configuration and version to activate or deactivate. | ||||
activationId |
Number | ✗ | ✓ | A unique identifier for the activation. | ||||
completionDate |
String | ✗ | ○ | Read-only. The ISO 8601 timestamp at which the activation reaches a steady state and validates across the Akamai network. | ||||
createDate |
String | ✗ | ✓ | Read-only. The ISO 8601 timestamp at which the activation request was submitted. | ||||
createdBy |
String | ✗ | ✓ | Read-only. Username of the person that created the activation request. | ||||
dispatchCount |
Integer | ✗ | ○ | Read-only. The number of times which this activation has been dispatched to the Akamai edge network. A number greater than 1 indicates that this activation may be retried due to network safety concerns. | ||||
estimate |
String | ✗ | ○ | The estimated time remaining to complete the activation in ISO 8601 duration format, starting when the response is generated. | ||||
network |
Enumeration | ✓ | ✓ | The target Akamai network or environment of the activation, either STAGING or PRODUCTION. |
||||
note |
String | ○ | ✗ | User-supplied notes associated with this activation. | ||||
notification |
Array | ○ | ✗ | Email IDs to notify when the activation happens. | ||||
status |
Enumeration | ✗ | ✓ | The current status of the activation, either RECEIVED, LIVE, DEPLOYED, CANCELING, STOPPED, REMOVED, ROLLBACK, ACTIVATED, FAILED, CANCELLING, or UNDEPLOYED. |
||||
Activation.activationConfigs[]: Specifies the security configuration and version of the activation. |
||||||||
configId |
Number | ✓ | ✓ | The ID of the origin or destination configuration to activate. | ||||
configName |
String | ✗ | ○ | The name of the configuration. This field is provided for information purposes and only appears in the API output. | ||||
configVersion |
Number | ✓ | ✓ | The version of the origin or destination configuration to activate. | ||||
previous |
Number | ✗ | ○ | Read-only. The previous active configuration version. | ||||
Errors
This section provides details on the data object that reflects the API’s common response to error cases, and lists the API’s range of response status codes for both error and success cases.
Error responses
EdgeGrid responds with HTTP Problem error objects that provide details useful for debugging. For example:
{
"type":"https://problems.luna.akamaiapis.net/appsec-resource/error-types/ACCESS-DENIED",
"title":"Forbidden",
"status":403,
"detail":"You do not have the necessary access to perform this operation or the requested resource cannot be modified",
"instance":"https://problems.luna.akamaiapis.net/appsec/error-instances/d54686b5-21cb-4ab7-a8d6-a92282cf1749"
}
HTTP status codes
The API produces the following set of HTTP status codes for both success and failure scenarios:
| Code | Description |
|---|---|
| 200 | The operation was successful. |
| 201 | Resource successfully created. |
| 400 | Bad Request. |
| 403 | Access is forbidden. |
| 404 | Resource not found. |
| 409 | Conflict with current state of resource. |
Last modified: 12/3/2018