- Overview
- Resources
- API summary
- List contracts and groups
- List available hostnames for a new configuration
- List configurations
- Create a configuration
- Rename a security configuration
- List configuration versions
- Clone a configuration version
- Get configuration version details
- Remove a configuration version
- Get the version notes
- Update the version notes
- Get Hostname Coverage
- Get the hostname coverage match targets
- List hostname overlaps
- Get the HTTP header log settings for a configuration
- Modify HTTP header log settings for a configuration
- Get prefetch requests
- Modify prefetch requests
- Get Pragma settings for a configuration
- Modify Pragma settings for a configuration
- Get Request body size settings for a configuration
- Modify request body inspection limit settings for a configuration
- List selectable hostnames
- List selected hostnames
- Modify selected hostnames
- List evaluation hostnames
- Modify evaluation hostnames
- Protect evaluation hostnames
- List security policies
- Clone or create a security policy
- Get a security policy
- Modify a security policy
- Remove a security policy
- Get HTTP header log settings
- Modify HTTP header log settings
- Get Pragma settings for a security policy
- Modify Pragma settings for a security policy
- Get request body inspection limit settings for a security policy
- Modify request body size settings for a security policy
- List match targets
- Create a match target
- Modify match target order
- Get a match target
- Modify a match target
- Remove a match target
- List custom deny actions
- Create a custom deny action
- Get a custom deny action
- Modify a custom deny action
- Remove a custom deny action
- List failover hostnames
- Get the IP/Geo Firewall settings
- Update the IP Geo Firewall settings
- Get the bypass network lists settings
- Modify the bypass network lists settings
- List rate policies
- Create a rate policy
- Get a rate policy
- Modify a rate policy
- Remove a rate policy
- List rate policy actions
- Modify a rate policy action
- Get slow POST protection settings
- Modify slow POST protection settings
- Get the current mode
- Modify the mode
- List attack groups
- Get the action for an attack group
- Modify the action for an attack group
- Get the exceptions of an attack group
- Modify the exceptions of an attack group
- List rules
- Upgrade KRS ruleset
- Get the action for a rule
- Modify the action for a rule
- Get the conditions and exceptions of a rule
- Modify the conditions and exceptions of a rule
- Get upgrade details
- Get adaptive intelligence setting
- Update adaptive intelligence setting
- Set evaluation mode
- List evaluation rules
- Get the action of an evaluation rule
- Modify the action of an evaluation rule
- Get the conditions and exceptions for an evaluation rule
- Modify the conditions and exceptions for an evaluation rule
- Get tuning recommendations for a policy
- Respond to tuning recommendations
- List tuning recommendations for a rule
- List tuning recommedations for an attack group
- Get the penalty box
- Modify the penalty box
- List custom rules
- Create a custom rule
- Get a custom rule
- Modify a custom rule
- Remove a custom rule
- List custom rule actions
- Modify a custom rule action
- List API request constraints and actions
- Modify the request constraint action for all API
- Modify an API request constraint’s action
- List API endpoints
- List reputation profiles
- Create a reputation profile
- Get a reputation profile
- Modify a reputation profile
- Remove a reputation profile
- Get the reputation analysis settings
- Update the reputation analysis settings
- List reputation profile actions
- Get the action for a reputation profile
- Modify the action for a reputation profile
- Get protections
- Modify protections
- Get SIEM settings
- Modify SIEM settings
- Get SIEM versions
- List subscribers
- Subscribe or unsubscribe to recommendation emails
- List selected hostnames for a security policy
- Modify selected hostnames for a security policy
- List evaluation hostnames for a security policy
- Modify evaluation hostnames for a security policy
- Protect evaluation hostnames for a security policy
- Get the bypass network lists settings for a security policy
- Modify the bypass network lists settings for a security policy
- Activate a configuration version
- Get an activation request status
- Get activation status
- Export a configuration version
- Data
- Configuration
- RenameConfiguration
- ContractGroup
- VersionList
- Version
- VersionNotes
- ConfigurationClone
- SelectableHostnames
- Set
- SelectedHostnames
- SecurityPolicy
- SecurityPolicyClone
- HeaderLog
- ConfigHeaderLog
- PrefetchRequest
- InspectionLimit
- ThreatIntel
- PragmaHeader
- HostnameCoverage
- HostnameOverlap
- SecurityControls
- Subscription
- Upgrade
- Rule
- EvalRule
- EvalMode
- EvalHostname
- Recommendation
- RecommendationAction
- HostnameTarget
- Exception
- MatchTarget
- CustomDeny
- FailOverHostname
- IPGeoFirewall
- BypassNetworkList
- Validation
- MatchTargetOrder
- RatePolicy
- RatePolicyAction
- SlowPostProtection
- CustomRule
- CustomRuleActions
- ApiConstraints
- ApiEndpoint
- AttackGroup
- Mode
- Action
- PenaltyBox
- ReputationProfile
- ReputationProfileAction
- ReputationAnalysis
- SIEM
- Protections
- Activation
- Export
- Errors
Application Security API v1
Manage the Web Application Firewall (WAF) configuration for your Akamai security products.
Learn more:
Download this API’s RAML and JSON schema descriptors.
Overview
The Application Security API allows you to access and modify your Security Configurations for Kona Site Defender, Web Application Protector, and Client Reputation. You can create, update, activate, and export versions of a security configuration. You can get selectable hostnames and add them to the selected list to protect your website or API content. You also can add, modify, or delete custom rules and assign policy actions.
A Web Application Firewall (WAF) is an application security measure deployed between a web client and a web server that performs a deep inspection of every request and response for all common forms of web traffic. Identifying and isolating or blocking abnormal malicious traffic, a WAF effectively prevents threats from reaching the server.
Adaptive Security Engine (ASE) replaces previous web application firewall protections like Automated Attack Groups and the Kona Rule Set. ASE, our latest web application firewall protection engine, has advances that help you protect your websites and APIs with greater accuracy and less effort.
Existing operations for Kona Rule Set and Automated Attack Group will contain the updated ASE payloads for newly-contracted customers. Established customers can opt into to the ASE features at a later date, and will continue to see the existing payloads you are currently familiar with.
Operations with ASE available describe the specific changes to their payloads.
Product compatibility varies by operation. Look for Products: X,Y or Products: All
in each operation description to see which operations work with each product. All includes App & API Protector, Advanced Security Module, Kona Site Defender, and Web Application Protector.
All operations are now GA. Some operations have additional beta functionality related only to their payloads or data and are marked as Beta.
Who should use this API
This API is for security operations teams and developers who implement Akamai security products for their organization. You need to have a working knowledge of your application and how the configurable objects interact. If you’re not familiar with these topics, see Resources for more information.
Get started
Before using the Application Security API for the first time:
Review Get Started with APIs for details on how to set up client tokens to access any Akamai API. These tokens appear as custom hostnames that look like this:
https://akzz-XXXXXXXXXXXXXXXX-XXXXXXXXXXXXXXXX.luna.akamaiapis.net.To enable this API, choose the API service named Application Security, and set the access level to READ-WRITE.
API concepts
To understand this API’s various URL resources and the data it exchanges, get familiar with these concepts:
Configuration: A security configuration specifies hostnames, security policies, custom rules, and match targets. You activate a security configuration to Akamai’s edge servers, where it works with your delivery configuration to evaluate requests, and determines how to handle them.
Security configurations are versioned. This is a handy way to update a configuration, even if it’s active on staging or production. Clone a version and edit it. When it’s ready, activate and test the new version. As you refine and test your updates, you have an audit trail of changes and can rollback to prior versions. You can also export the details of a configuration version.
Contracts and Groups: Contracts and groups apply to most Akamai applications. In the Application Security API, contract IDs and group IDs are used when requesting selectable hostnames and creating security configurations. When you create a new configuration in Appsec, you’ll choose which product to use by passing the
contractId, and you’ll select a group in which to save your configuration with agroupId.Hostnames: Selecting a hostname lets you specify the web content you want to protect in your configuration. You can get a list of selectable hostnames and add new entries to the selected hostnames object in your configuration.
You can associate a security configuration with many hostnames, but a single hostname is covered by only one active security configuration at a time.
Security Policy: Security policies control how to respond to different requests and define the response action that occurs. If necessary, you can create more than one security policy. For example, you may need to apply one set of protections to website pages and a different set to APIs.
Match Target: Defines which security policy applies to which API, hostname, or path. You can use a match target to focus a policy on a specific set of requests, such as those for
.asp,.jsp, or.phpfile types. When your security configuration assesses a request, it checks to see if the request meets match target criteria. If it does, protections apply. If not, content delivery starts.- Protections: Rules in a security configuration that inspect a request for specific traits, behavior, or originating machine and then applies an action you set. If a request triggers a rule, the server executes the action you specify. The security configuration file executes before your delivery configuration. The protections currently available in this API are:
- IP/Geo firewall
- Rate controls
- Slow POST
- Custom rules
- Web Application Firewall rules
- Reputation profile (Kona Site Defender add-on)
IP/Geo Firewall: IP/Geo controls let you block or allow traffic coming from a specific IP, subnet, or geographic area. In Control Center’s Web Application Firewall, the
modeoption lets you control how to block traffic. This API uses theblockmember to indicate the same choice. The set of IPs or geographic areas you want to include or exclude is defined separately in network lists that are shared across security configurations. Use the Network Lists API to maintain them. Note: Subnet controls are a legacy item in Control Center and are not available through this API.Rate Controls: Monitor and control the rate of requests you receive. Flag traffic too fast to be from a human or that may overwhelm your site.
Slow POST: A type of traffic that ties up a web server as it waits for additional parts of requests to arrive. This can result in Denial-of-Service attacks featuring extremely slow request rates.
Custom Rule: Custom rules can handle scenarios not covered by the included standard rules and quickly patch new website vulnerabilities. You can trigger an alert or denial based on various components of the request, such as method, path, file extension, headers, cookies, query string, and POST body variables. Custom rules are configuration-level resources, which means they’re available to all policies in a security configuration, but they don’t version in lock-step. When you change a custom rule, it affects all inactive versions of your security configuration, but not activated ones. To roll back, you must choose a previously activated version.
Reputation Profile: Stops malicious clients before they can attack, based on Akamai’s visibility into prior behavior of individual and shared IP addresses. This service performs hourly analysis to identify potentially malicious IP addresses, scoring them based on prior interactions with other Akamai customers. When you apply reputation controls, they use this history to alert on or block IP addresses from issuing requests. Reputation profile is part of Client Reputation, an optional add-on to Kona Site Defender that you need on your contract to use.
Prefetch: This protection causes your application firewall rules to inspect internal requests (those between your origin and Akamai’s servers) for file types you specify (usually dynamic content).
Attack Group: Attack groups, also called Automated Attack Groups or AAGs are an alternative setup for your web application firewall, eliminating the need for you to manually configure and maintain individual firewall rules.
Attack Group Actions: When conditions for an attack group are met, our system performs a specific action you set: denying the request, recording what triggered the response, or taking no action at all.
Rules: The Akamai Intelligent Platform handles a large part of the world’s web traffic, providing a unique insight into traffic patterns and request behavior. To craft the application-layer protections, our Security Research team leverages insights that come from our Cloud Security Intelligence (CSI) data platform. This data is used to improve rules and create new ones based on the latest threats.
Rule Actions: When a rule is triggered by a request, our system takes an action, either denying the request, recording the triggered the rule, or taking no action at all.
Penalty Box: If you’re using automated attack groups, you can protect your site or API from abusive clients using the penalty box. When you turn penalty box ON, any client whose request violates an attack group set to
action:denymoves to the penalty box. There, the action you select for penalty box (eitheralertordeny) continues to apply to any requests from that client for the next 10 minutes. After 10 minutes, the client moves out of the penalty box, and its requests are no longer denied, unless another request triggers another deny action again and sends the client back to the penalty box for another 10 minutes.Upgrading KRS rules: To best protect your site it’s important to keep your rules up to date. However, if you’re worried how the new rules may affect your traffic, you can use
Evaluation Modeto test them before you upgrade.Mode: The mode is the method by which you update your KRS rules. Use
KRSto update them manually, orAAGto have them update automatically.Evaluation Mode: Evaluation mode lets you test new versions of the Kona Rule Sets before committing to an upgrade, or test the same rules you already have with different exceptions.
Evaluation Rule: Also known as
evalrules. These rules are future versions of rules you currently have. Eval rules are the rules present when you’re running evaluation mode. You can preview, or test drive these rules to see how they handle traffic and compare the results against your current rules. When you’re using the eval rules operations, you’ll notice how similar they are to the KRS rules operations. This is because the newer rules you’re evaluating are meant to replace the KRS rules once you decide to upgrade. The only difference between the KRS rules operations and the eval rules operations is that the KRS operations are for your current rules, and the eval operations are for you to test out updates to those rules. What the rules and their actions accomplish are conceptually the same.- Custom Deny: Instead of using the standard deny action which serves an HTTP 403 Forbidden response, you can create a custom deny action. This lets you:
- Customize the error message
- Brand the error page with your own logo
- Define and serve an HTML, or any response based on XML, JSON, or other data formats
You’ll choose which deny
actionto take in the Custom Deny operations and, unlike other similar operations, won’t have to create any special configurations. Customize either by entering your own HTML or JSON response body, or by serving an HTML page that you currently deliver on Akamai’s platform. You can create up to 20 custom deny actions. Note: Custom Deny is not available for properties served on Akamai’s China CDN. Any instance of custom deny applied to those properties defaults back to 403 response. SIEM: Security Information and Event Management (SIEM) integration lets you capture security events generated on the Akamai platform and analyze them in your favorite SIEM application. You can integrate with Splunk, CEF Syslog, or build a connector for the SIEM application of your choice. The operations in this API let you turn SIEM on or off for your security configurations. To configure other SIEM controls, or for more information, see Security Information and Event Management API.
Tuning recommendations: Tuning recommendations help improve accuracy and reduce false positives. When the system detects such an issue in your traffic, it automatically recommends an exception setting change. You can review it and either accept the recommendation or defer your choice for a later time. Note that once you accept a recommendation, your policy includes it as an exception. But, when you accept a recommendation in Control Center, you save the exception as a second step.
Tuning recommendation email subscription: Tuning recommendation emails notify subscribers faster than waiting for them to log in. In this API you can subscribe or unsubscribe users to these recommendations for a specific
feature. Currently, the onlyfeatureisAAG_TUNING_RECfor AAG rule sets.
API workflows
Learn this API’s common workflows. These include adding a hostname to a configuration version, adding a custom rule to a configuration version, exporting a configuration version, and activating configuration versions with invalid hostnames.
These steps show you how to modify a configuration, provide additional hostnames, and activate the new configuration version.
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Run Get configuration version details to get a Configuration object.
You cannot edit the configuration version if it’s ACTIVE on staging or production servers. To create a new version, craft a ConfigurationClone object and make a POST request to
/appsec/v1/configs/{configId}/versions.Run List selectable hostnames to get a list of Set objects containing hostname information.
List selected hostnames to get a SelectedHostnames object.
Modify the SelectedHostnames object.
Make a PUT request to
/appsec/v1/configs/{configId}/versions/{versionNumber}/selected-hostnames.Run List security policies and select a
policyId.Run Create a match target to create a new MatchTarget object. Note the
targetIdin the response.Modify the MatchTarget object.
Make a PUT request to
/appsec/v1/configs/{configId}/versions/{versionNumber}/match-targets/{targetId}.Run List match targets.
Craft a MatchTargetOrder object using the
targetIds.Make a PUT request to
/appsec/v1/configs/{configId}/versions/{versionNumber}/match-targets/sequence.Create an Activation object.
Make a POST request to
/appsec/v1/activationsto activate the configuration version.Run Get activation status to check the activation status. The response is an Activation object.
These steps show you how to modify a configuration, add a new custom rule, and activate the new configuration version.
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Run Get configuration version details to get a Configuration object.
You cannot edit the configuration version if it’s ACTIVE on staging or production servers. To create a new version, craft a ConfigurationClone object and make a POST request to
/appsec/v1/configs/{configId}/versions.Run Create a custom rule to create a new CustomRule object. Note the
ruleIdin the response.Run Get a custom rule.
Modify the CustomRule object.
Make a PUT request to
/appsec/v1/configs/{configId}/custom-rules/{ruleId}.Run List security policies and select a
policyId.Make a PUT request with a single-member object containing the specified
actionto/appsec/v1/configs/{configId}/versions/1/security-policies/{policyId}/custom-rules/{ruleId}.Create an Activation object.
Make a POST request to
/appsec/v1/activationsto activate the configuration version.Run Get activation status to check the activation status. The response is an Activation object.
These steps show you how to get and export an existing configuration version.
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/v1/export/configs/{configId}/versions/{versionNumber}.
Activate with invalid hostnames
These steps show you how to activate security configurations that contain invalid hostnames. A hostname may be invalid for different reasons. For example, it may not be linked to an Akamai property, or it may be managed under a contract and group not associated with the security configuration. You can activate several security configurations with invalid hostnames at the same time.
Run the List selectable hostnames operation.
Copy and store the
hostnamevalues from theerrorSetarray.Run the Activate a configuration version operation and enter the invalid hostnames along with the IDs of security configuration that include them in the
acknowledgedInvalidHostsByConfigarray.
Note that you can still use the acknowledgedInvalidHosts array when
activating a single security configuration.
Rate limiting
This API uses rate controls to limit the requests from clients within a single account to 100 requests per minute. The requests from all clients within the same account are counted together. Exceeding that limit results in a 429 error response. Consider this especially when calling successive operations as part of a loop.
| Operation | Requests per minute |
|---|---|
| All operations (default) | 100 |
| Export | 3 |
| Hostname coverage | 1 |
The following response headers provide additional rate limit information:
X-Ids-Session-Id: The unique identifier for a rate limit session.X-RateLimit-Limit: 100 per minute except for export and hostname coverage operations.X-RateLimit-Remaining: Number of remaining requests allowed during the current rate limit period.
Once X-RateLimit-Remaining becomes 0, you get a 429 error the next time you make an API call. Wait at least one minute before you call again.
Resources
This section provides details on each API operation.
API summary
Download the RAML descriptors for this API.
| Operation | Method | Endpoint |
|---|---|---|
| Security Configurations Contract and Group | ||
| List contracts and groups | GET | /appsec/ |
| List available hostnames for a new configuration | GET | /appsec/ |
| Security Configurations | ||
| List configurations | GET | /appsec/ |
| Create a configuration | POST | /appsec/ |
| Rename a security configuration | PUT | /appsec/ |
| Security Configuration Versions | ||
| List configuration versions | GET | /appsec/ |
| Clone a configuration version | POST | /appsec/ |
| Security Configuration Version | ||
| Get configuration version details | GET | /appsec/ |
| Remove a configuration version | DELETE | /appsec/ |
| Version Notes | ||
| Get the version notes | GET | /appsec/ |
| Update the version notes | PUT | /appsec/ |
| Hostname Coverage | ||
| Get Hostname Coverage | GET | /appsec/ |
| Hostname Match Target and Overlap Coverage | ||
| Get the hostname coverage match targets | GET | /appsec/ |
| List hostname overlaps | GET | /appsec/ |
| Advanced Configuration Settings | ||
| Get the HTTP header log settings for a configuration | GET | /appsec/ |
| Modify HTTP header log settings for a configuration | PUT | /appsec/ |
| Get prefetch requests | GET | /appsec/ |
| Modify prefetch requests | PUT | /appsec/ |
| Get Pragma settings for a configuration | GET | /appsec/ |
| Modify Pragma settings for a configuration | PUT | /appsec/ |
| Get Request body size settings for a configuration | GET | /appsec/ |
| Modify request body inspection limit settings for a configuration | PUT | /appsec/ |
| Hostnames | ||
| List selectable hostnames | GET | /appsec/ |
| List selected hostnames | GET | /appsec/ |
| Modify selected hostnames | PUT | /appsec/ |
| List evaluation hostnames | GET | /appsec/ |
| Modify evaluation hostnames | PUT | /appsec/ |
| Protect evaluation hostnames | PUT | /appsec/ |
| Security Policies | ||
| List security policies | GET | /appsec/ |
| Clone or create a security policy | POST | /appsec/ |
| Get a security policy | GET | /appsec/ |
| Modify a security policy | PUT | /appsec/ |
| Remove a security policy | DELETE | /appsec/ |
| Security Policy Advanced Settings | ||
| Get HTTP header log settings | GET | /appsec/ |
| Modify HTTP header log settings | PUT | /appsec/ |
| Get Pragma settings for a security policy | GET | /appsec/ |
| Modify Pragma settings for a security policy | PUT | /appsec/ |
| Get request body inspection limit settings for a security policy | GET | /appsec/ |
| Modify request body size settings for a security policy | PUT | /appsec/ |
| Match Targets | ||
| List match targets | GET | /appsec/ |
| Create a match target | POST | /appsec/ |
| Modify match target order | PUT | /appsec/ |
| Get a match target | GET | /appsec/ |
| Modify a match target | PUT | /appsec/ |
| Remove a match target | DELETE | /appsec/ |
| Custom Deny | ||
| List custom deny actions | GET | /appsec/ |
| Create a custom deny action | POST | /appsec/ |
| Get a custom deny action | GET | /appsec/ |
| Modify a custom deny action | PUT | /appsec/ |
| Remove a custom deny action | DELETE | /appsec/ |
| FailOver Hostnames | ||
| List failover hostnames | GET | /appsec/ |
| IP/Geo Firewall | ||
| Get the IP/Geo Firewall settings | GET | /appsec/ |
| Update the IP Geo Firewall settings | PUT | /appsec/ |
| Get the bypass network lists settings | GET | /appsec/ |
| Modify the bypass network lists settings | PUT | /appsec/ |
| Rate Policies | ||
| List rate policies | GET | /appsec/ |
| Create a rate policy | POST | /appsec/ |
| Get a rate policy | GET | /appsec/ |
| Modify a rate policy | PUT | /appsec/ |
| Remove a rate policy | DELETE | /appsec/ |
| Rate Policy Actions | ||
| List rate policy actions | GET | /appsec/ |
| Modify a rate policy action | PUT | /appsec/ |
| Slow Post | ||
| Get slow POST protection settings | GET | /appsec/ |
| Modify slow POST protection settings | PUT | /appsec/ |
| Web Application Firewall Rules | ||
| Get the current mode | GET | /appsec/ |
| Modify the mode | PUT | /appsec/ |
| List attack groups | GET | /appsec/ |
| Get the action for an attack group | GET | /appsec/ |
| Modify the action for an attack group | PUT | /appsec/ |
| Get the exceptions of an attack group | GET | /appsec/ |
| Modify the exceptions of an attack group | PUT | /appsec/ |
| List rules | GET | /appsec/ |
| Upgrade KRS ruleset | PUT | /appsec/ |
| Get the action for a rule | GET | /appsec/ |
| Modify the action for a rule | PUT | /appsec/ |
| Get the conditions and exceptions of a rule | GET | /appsec/ |
| Modify the conditions and exceptions of a rule | PUT | /appsec/ |
| Get upgrade details | GET | /appsec/ |
| Get adaptive intelligence setting | GET | /appsec/ |
| Update adaptive intelligence setting | PUT | /appsec/ |
| Web Application Firewall Evaluation Rules | ||
| Set evaluation mode | POST | /appsec/ |
| List evaluation rules | GET | /appsec/ |
| Get the action of an evaluation rule | GET | /appsec/ |
| Modify the action of an evaluation rule | PUT | /appsec/ |
| Get the conditions and exceptions for an evaluation rule | GET | /appsec/ |
| Modify the conditions and exceptions for an evaluation rule | PUT | /appsec/ |
| Tuning Recommendations | ||
| Get tuning recommendations for a policy | GET | /appsec/ |
| Respond to tuning recommendations | POST | /appsec/ |
| List tuning recommendations for a rule | GET | /appsec/ |
| List tuning recommedations for an attack group | GET | /appsec/ |
| Penalty Box | ||
| Get the penalty box | GET | /appsec/ |
| Modify the penalty box | PUT | /appsec/ |
| Custom Rules Builder | ||
| List custom rules | GET | /appsec/ |
| Create a custom rule | POST | /appsec/ |
| Get a custom rule | GET | /appsec/ |
| Modify a custom rule | PUT | /appsec/ |
| Remove a custom rule | DELETE | /appsec/ |
| Custom Rules Actions | ||
| List custom rule actions | GET | /appsec/ |
| Modify a custom rule action | PUT | /appsec/ |
| API Request Constraints | ||
| List API request constraints and actions | GET | /appsec/ |
| Modify the request constraint action for all API | PUT | /appsec/ |
| Modify an API request constraint’s action | PUT | /appsec/ |
| API Endpoints | ||
| List API endpoints | GET | /appsec/ |
| Reputation Profiles | ||
| List reputation profiles | GET | /appsec/ |
| Create a reputation profile | POST | /appsec/ |
| Get a reputation profile | GET | /appsec/ |
| Modify a reputation profile | PUT | /appsec/ |
| Remove a reputation profile | DELETE | /appsec/ |
| Reputation Analysis | ||
| Get the reputation analysis settings | GET | /appsec/ |
| Update the reputation analysis settings | PUT | /appsec/ |
| Reputation Profile Action | ||
| List reputation profile actions | GET | /appsec/ |
| Get the action for a reputation profile | GET | /appsec/ |
| Modify the action for a reputation profile | PUT | /appsec/ |
| Security Policy Protections | ||
| Get protections | GET | /appsec/ |
| Modify protections | PUT | /appsec/ |
| SIEM Configuration | ||
| Get SIEM settings | GET | /appsec/ |
| Modify SIEM settings | PUT | /appsec/ |
| SIEM Definition | ||
| Get SIEM versions | GET | /appsec/ |
| Subscription for Appsec Config Notifications | ||
| List subscribers | GET | /appsec/ |
| Subscribe or unsubscribe to recommendation emails | POST | /appsec/ |
| Selected Hostnames for a policy | ||
| List selected hostnames for a security policy | GET | /appsec/ |
| Modify selected hostnames for a security policy | PUT | /appsec/ |
| List evaluation hostnames for a security policy | GET | /appsec/ |
| Modify evaluation hostnames for a security policy | PUT | /appsec/ |
| Protect evaluation hostnames for a security policy | PUT | /appsec/ |
| Get the bypass network lists settings for a security policy | GET | /appsec/ |
| Modify the bypass network lists settings for a security policy | PUT | /appsec/ |
| Security Config Activation | ||
| Activate a configuration version | POST | /appsec/ |
| Get an activation request status | GET | /appsec/ |
| Get activation status | GET | /appsec/ |
| Security Configuration Version Export | ||
| Export a configuration version | GET | /appsec/ |
List contracts and groups
List the contracts and groups for your account. Each object contains the contract, groups associated with the contract, and whether Kona Site Defender or Web Application Protector is the product for that contract. You’ll need this information when you create a new security configuration or when you want to get a list of hostnames still available for use in a security policy. Products: All.
GET /appsec/
Status 200
application/json
Object type: ContractGroup
Download schema: contractGroups.json
Response body:
{
"contract_groups": [
{
"contractId": "F-I5PAH1",
"displayName": "Main Street Corporation ",
"groupId": 42085
},
{
"contractId": "F-I5PAH1",
"displayName": "AltQ",
"groupId": 51308
},
{
"contractId": "F-I5PAH1",
"displayName": "BV QA",
"groupId": 41118
}
]
}
List available hostnames for a new configuration
Lists the hostnames for a given contract and group. Use this operation for a new configuration, and use List selectable hostnames to see a list of hostnames you can add to an existing configuration. This operation shows you every acceptable hostname you can use, where the other hostname operation omits any hostnames already included in your configuration. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
contractId |
String | 123-abcd |
A unique identifier for a contract. |
groupId |
String | 11223 |
A unique identifier for a group. |
Status 200
application/json
Response body:
{
"configId": 123,
"configVersion": 2,
"protectARLInclusionHost": true,
"availableSet": [
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 77653,
"configNameInProduction": "WAF Security File",
"hostname": "example.com"
},
{
"arlInclusion": true,
"activeInProduction": false,
"activeInStaging": true,
"configIdInProduction": 51074,
"configNameInProduction": "A PUBLIC CONFIG",
"hostname": "www.example.com"
},
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 65473,
"configNameInProduction": "Other Security Configuration",
"hostname": "www.example-123.com"
}
],
"errorSet": [
{
"hostname": "*.example.net",
"reason": "property is not active in either production or staging",
"reasonCode": 400
},
{
"hostname": "test-example.net",
"reason": "You don't have access to this property",
"reasonCode": 403
}
],
"selectedSet": [
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 11887,
"configNameInProduction": "Rbac Test Config",
"hostname": "m.example.com"
},
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": null,
"configNameInProduction": null,
"hostname": "m.example-123.com"
}
]
}
Run List contracts and groups and select a
contractIdand agroupId.Make a GET request to
/appsec/.v1/ contracts/ {contractId}/ groups/ {groupId}/ selectable-hostnames
The operation responds with a SelectableHostnames object.
List configurations
Lists available security configurations. Products: All.
GET /appsec/
Status 200
application/json
Object type: Configuration
Download schema: configListing.json
Response body:
{
"configurations": [
{
"id": 22330,
"latestVersion": 5,
"name": "CaroTestTransition2Versioning",
"description": "(user notes)"
},
{
"id": 7180,
"latestVersion": 9,
"name": "Corporate Sites WAF",
"productionVersion": 1,
"stagingVersion": 2,
"productionHostnames": [
"example.com",
"www.example.net",
"m.example.com"
]
}
]
}
Create a configuration
Create a new WAP or KSD security configuration. KSD security configurations start out empty, and WAP configurations are created with preset values. The contract you pass in the request body determines which product you use. You can edit the default settings included in the WAP configuration, but you’ll need to run additional operations in this API to select specific protections for KSD. Your KSD configuration needs match targets and protection settings before you activate. Products: All.
POST /appsec/
Content-Type: application/json
Request body:
{
"name": "newapitest",
"description": "description1",
"contractId": "F-I5PAH1",
"groupId": 42085,
"hostnames": [
"new.example.com",
"www.example.com"
]
}
Status 201
application/json
Response body:
{
"configId": 71710,
"version": 1,
"description": "description1",
"name": "newapitest"
}
Build a new Configuration object.
POST the object to
/appsec/.v1/ configs
The operation responds with a Configuration object.
Rename a security configuration
Update the name of your security configuration. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: RenameConfiguration
Download schema: configRename.json
Request body:
{
"name": "newapitest",
"description": "description1"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 112231 |
A unique identifier for each security configuration. |
Status 200
application/json
Object type: RenameConfiguration
Download schema: configRename.json
Response body:
{
"name": "newapitest",
"description": "description1"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Build a RenameConfiguration object.
PUT the object to
/appsec/.v1/ configs/ {configId}
The operation responds with a RenameConfiguration object.
List configuration versions
Lists available versions for the specified security configuration, with results optionally paginated. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
| Optional query parameters | |||
detail |
Boolean | false |
When true, the results contain detailed information on versions. When false, the results contain summary information on versions. |
page |
Integer | 1 |
The index of the result page. If the value is -1, then pagination is ignored. The default value is 1. |
pageSize |
Integer | 10 |
The number of items on each result page. The default value is 25. |
Status 200
application/json
Object type: VersionList
Download schema: wafConfigVersionListDto.json
Response body:
{
"totalSize": 3,
"pageSize": 3,
"page": 1,
"configId": 48579,
"configName": "TestConfig",
"stagingExpediteRequestId": 5861,
"productionExpediteRequestId": 6951,
"productionActiveVersion": 9,
"stagingActiveVersion": 8,
"lastCreatedVersion": 9,
"versionList": [
{
"version": 9,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:58:52Z",
"createdBy": "user1",
"basedOn": 8,
"production": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
},
"staging": {
"status": "Inactive"
}
},
{
"version": 8,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:41:52Z",
"createdBy": "user2",
"basedOn": 7,
"production": {
"status": "Inactive"
},
"staging": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
}
},
{
"version": 7,
"versionNotes": "Membership Benefits",
"createDate": "2013-08-07T17:41:52Z",
"createdBy": "user3",
"production": {
"status": "Inactive"
},
"staging": {
"status": "Inactive"
}
}
]
}
Run List configurations and select a
configId.Optionally, set the
pageSizeandpagequery parameters to control the size of each page, and navigate to specific pages of results.Optionally, enable the
detailquery parameter for detailed information on the items returned.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions{?page, pageSize, detail}
Clone a configuration version
Creates a new version of the specified security configuration. Products: All.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: ConfigurationClone
Download schema: configCloneCreate.json
Request body:
{
"createFromVersion": 1,
"ruleUpdate": false
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
Status 200
application/json
Object type: Version
Download schema: wafConfigVersionDto.json
Response body:
{
"configId": 48579,
"configName": "TestConfig",
"version": 2,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:58:52Z",
"createdBy": "user1",
"basedOn": 1,
"production": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
},
"staging": {
"status": "Inactive"
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Create a ConfigurationClone object.
Make a POST request to
/appsec/.v1/ configs/ {configId}/ versions
The response reflects the new Configuration object.
Get configuration version details
Returns basic details about a configuration version. To get a more extensive object with detailed information about a version’s security policies, rate policies, rules, and other additional settings, run the Export a configuration version operation. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: Version
Download schema: wafConfigVersionDto.json
Response body:
{
"configId": 48579,
"configName": "TestConfig",
"version": 2,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:58:52Z",
"createdBy": "user1",
"basedOn": 1,
"production": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
},
"staging": {
"status": "Inactive"
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}
The response is a Configuration object.
Remove a configuration version
Delete the specified configuration version. You can’t delete a version that is actively in use. Products: All.
DELETE /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
Status 204
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a DELETE request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}
Get the version notes
Get the most recent version notes for a configuration. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Download schema: versionNotesGetSuccess.json
Response body:
{
"notes": "This is the version notes."
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ version-notes
The operation responds with a VersionNotes object.
Update the version notes
Update the most recent version notes for a configuration. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: VersionNotes
Download schema: versionNotesSetRequest.json
Request body:
{
"notes": "This is a version note."
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Download schema: versionNotesSetSuccess.json
Response body:
{
"notes": "This is the version notes."
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Modify the VersionNotes object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ version-notes
The operation responds with a VersionNotes object.
Get Hostname Coverage
Get the list of hostnames in the account with their current protections, activation statuses, and other summary information. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Status 200
application/json
Object type: HostnameCoverage
Download schema: hostnameCoverageGetSuccess.json
Response body:
{
"hostnameCoverage": [
{
"status": "covered",
"hasMatchTarget": true,
"hostname": "hola.example.com.mx",
"policyNames": [
"Main Street Corporation Mexico"
],
"configuration": {
"id": 57415,
"name": "Main Street Corporation Mexico",
"version": 37
}
},
{
"status": "covered",
"hasMatchTarget": true,
"hostname": "apiwork.example.com",
"policyNames": [
"AAG Sites"
],
"configuration": {
"id": 55851,
"name": "WFSLTD and API gateway portal",
"version": 2
}
},
{
"status": "covered",
"hasMatchTarget": true,
"hostname": "www.example.com",
"policyNames": [
"Main Street Corporation Canada"
],
"configuration": {
"id": 74656,
"name": "Main Street Corporation Canada",
"version": 53
}
}
]
}
Get the hostname coverage match targets
List the API and website match targets that protect a hostname. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
host |
String | www.example.com |
The hostname to look for. |
Status 200
application/json
Download schema: hostnameCoverageMatchTargetGetSuccess.json
Response body:
{
"matchTargets": {
"apiTargets": [],
"websiteTargets": [
{
"configId": 75498,
"configVersion": 428,
"defaultFile": "NO_MATCH",
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"isTargetSecurityControlsEditable": false,
"logicalId": 1730010,
"sequence": 3,
"targetId": 2555705,
"type": "website",
"fileExtensions": [],
"filePaths": [
"/content/tealeaf"
],
"hostnames": [
"www.example.com",
"m.example.com",
"m.new.example.com",
"safety.example.com",
"static.example.net",
"failover3.example.com",
"static.example.com",
"images.example.com",
"failover5.example.com",
"espanol.example.com"
],
"effectiveSecurityControls": {
"applyApplicationLayerControls": true,
"applyBotmanControls": true,
"applyNetworkLayerControls": true,
"applyPageIntegrityControls": false,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": true
},
"firewallPolicy": {
"evaluated": false,
"policyId": "GRD_4186",
"policyName": "Main Street Corporation USA",
"policySecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyBotmanControls": true,
"applyNetworkLayerControls": true,
"applyPageIntegrityControls": false,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": true
}
},
"targetSecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyPageIntegrityControls": false,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": true
},
"bypassNetworkLists": [
{
"id": "1410_BYPASSWAFLIST",
"name": "shawn - BypassWAFList"
}
]
}
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run Get Hostname Coverage, select a
hostnamevalue, and store it as ahostparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ hostname-coverage/ match-targets?hostname={host}
The operation responds with a HostnameCoverage object.
List hostname overlaps
List the configuration versions that contain a hostname also included in the current configuration version. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
host |
String | www.example.com |
The to search for. |
Status 200
application/json
Object type: HostnameOverlap
Download schema: hostnameCoverageOverlappingGetSuccess.json
Response body:
{
"overLappingList": [
{
"configId": 57415,
"configName": "Main Street Corporation Mexico",
"configVersion": 37,
"contractId": "F-I5PAH1",
"contractName": "Main Street Corporation .-F-I5PAH1",
"versionTags": [
"STAGING"
]
},
{
"configId": 75498,
"configName": "Main Street Corporation Inc",
"configVersion": 1,
"contractId": "F-I5PAH1",
"contractName": "Main Street Corporation .-F-I5PAH1",
"versionTags": [
"STAGING"
]
},
{
"configId": 42826,
"configName": "Main Street Corporation Local",
"configVersion": 3,
"contractId": "G-2N0OVRJ",
"contractName": "Zoro-Main Street Corporation ",
"versionTags": [
"LAST_CREATED"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run Get Hostname Coverage, select a
hostnamevalue, and store it as ahostnameparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ hostname-coverage/ overlapping?hostname={host}
The operation responds with a HostnameOverlap object.
Get the HTTP header log settings for a configuration
Lists HTTP header logging controls for a configuration. HTTP header logging is on by default, and in most cases you should leave it enabled. You can filter requests by header type, including or excluding requests with a specific header, or by cookie. This operation applies at the configuration level, and therefore applies to all policies within a configuration. If you want to view these settings for a specific policy, run Get HTTP header log settings. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Download schema: loggingHeaderSetting.json
Response body:
{
"allowSampling": true,
"cookies": {
"type": "all"
},
"customHeaders": {
"type": "exclude",
"values": [
"csdasdad"
]
},
"standardHeaders": {
"type": "only",
"values": [
"Accept"
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ advanced-settings/ logging
The operation responds with a ConfigHeaderLog object.
Modify HTTP header log settings for a configuration
Enable, disable, or update HTTP header Logging settings for a configuration. This operation applies at the configuration level, and therefore applies to all policies within a configuration. If you want to override these settings for a specific policy, run Modify HTTP header log settings. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: ConfigHeaderLog
Download schema: httpHeaderLoggingSetRequest.json
Request body:
{
"allowSampling": true,
"cookies": {
"type": "all"
},
"customHeaders": {
"type": "exclude",
"values": [
"csdasdad"
]
},
"standardHeaders": {
"type": "only",
"values": [
"Accept"
]
}
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Download schema: httpHeaderLoggingSetSuccess.json
Response body:
{
"allowSampling": true,
"cookies": {
"type": "all"
},
"customHeaders": {
"type": "exclude",
"values": [
"csdasdad"
]
},
"standardHeaders": {
"type": "only",
"values": [
"Accept"
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Modify the ConfigHeaderLog object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ advanced-settings/ logging
The operation responds with a ConfigHeaderLog object.
Get prefetch requests
Get the Prefetch Request settings. Products: Kona Site Defender.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: PrefetchRequest
Download schema: prefetchRequestGetSuccess.json
Response body:
{
"allExtensions": false,
"enableAppLayer": true,
"enableRateControls": false,
"extensions": [
"cgi",
"jsp",
"EMPTY_STRING",
"aspx",
"py",
"php",
"asp"
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ advanced-settings/ prefetch
The operation responds with a PrefetchRequest response object.
Modify prefetch requests
Enabling this protection causes your application firewall rules to inspect internal requests (those between your origin and Akamai’s servers) for file types you specify. You can also apply rate controls to prefetch requests. This operation applies at the configuration level. Products: Kona Site Defender.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: PrefetchRequest
Download schema: prefetchRequestSetRequest.json
Request body:
{
"allExtensions": false,
"enableAppLayer": true,
"enableRateControls": false,
"extensions": [
"cgi",
"jsp",
"EMPTY_STRING",
"aspx",
"py",
"php",
"asp"
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Download schema: prefetchRequestSetSuccess.json
Response body:
{
"allExtensions": false,
"enableAppLayer": true,
"enableRateControls": false,
"extensions": [
"cgi",
"jsp",
"EMPTY_STRING",
"aspx",
"py",
"php",
"asp"
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Modify the PrefetchRequest object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ advanced-settings/ prefetch
The operation responds with a PrefetchRequest response object.
Get Pragma settings for a configuration
Return the Pragma header excluded conditions. By default, the Pragma header is stripped from an operation’s response except in cases where you set excludeCondition. This operation applies at the security configuration level. To see settings at the security policy level, run List policy Pragma header settings for a security policy.
Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: PragmaHeader
Download schema: pragmaHeaderDto.json
Response body:
{
"action": "REMOVE",
"conditionOperator": "AND",
"excludeCondition": [
{
"type": "requestHeaderValueMatch",
"positiveMatch": true,
"header": "accept",
"valueCase": true,
"valueWildcard": true,
"value": [
"application/json",
"application/xml"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": false,
"value": [
"192.0.2.1",
"198.51.100.0/24"
]
},
{
"type": "networkList",
"positiveMatch": true,
"value": [
"123_3ALLOWEDIPS"
]
},
{
"type": "queryParamNameValueMatch",
"positiveMatch": true,
"name": "type",
"valueCase": true,
"valueWildcard": false,
"value": [
"type A",
"type B"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ advanced-settings/ pragma-header
The operation responds with a PragmaHeader object.
Modify Pragma settings for a configuration
Update the Pragma header excluded conditions. By default, the Pragma header is stripped from an operation’s response except in cases where you set excludeCondition. To remove existing settings, submit your request with an empty payload {} at the top-level of an object. For example, submit "type": "{}" in the request body to remove the requestHeaderValueMatch from the excluded conditions. If you submit an empty payload for each member, you’ll clear all of your condition settings. This operation applies at the security configuration level. To see settings at the security policy level, run Modify Pragma header settings for a security policy.
Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: PragmaHeader
Download schema: pragmaHeaderDto.json
Request body:
{
"action": "REMOVE",
"conditionOperator": "AND",
"excludeCondition": [
{
"type": "requestHeaderValueMatch",
"positiveMatch": true,
"header": "accept",
"valueCase": true,
"valueWildcard": true,
"value": [
"application/json",
"application/xml"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": false,
"value": [
"192.0.2.1",
"198.51.100.0/24"
]
},
{
"type": "networkList",
"positiveMatch": true,
"value": [
"123_3ALLOWEDIPS"
]
},
{
"type": "queryParamNameValueMatch",
"positiveMatch": true,
"name": "type",
"valueCase": true,
"valueWildcard": false,
"value": [
"type A",
"type B"
]
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: PragmaHeader
Download schema: pragmaHeaderDto.json
Response body:
{
"action": "REMOVE",
"conditionOperator": "AND",
"excludeCondition": [
{
"type": "requestHeaderValueMatch",
"positiveMatch": true,
"header": "accept",
"valueCase": true,
"valueWildcard": true,
"value": [
"application/json",
"application/xml"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": false,
"value": [
"192.0.2.1",
"198.51.100.0/24"
]
},
{
"type": "networkList",
"positiveMatch": true,
"value": [
"123_3ALLOWEDIPS"
]
},
{
"type": "queryParamNameValueMatch",
"positiveMatch": true,
"name": "type",
"valueCase": true,
"valueWildcard": false,
"value": [
"type A",
"type B"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Modify the PragmaHeader response object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ advanced-settings/ pragma-header
The operation responds with the PragmaHeader object you modified.
Get Request body size settings for a configuration
Beta. Return request body inspection limit settings for a configuration. Contact your account team if you’d like to run this operation. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: InspectionLimit
Download schema: requestBodyDto.json
Response body:
{
"requestBodySizeInKB": 16
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ advanced-settings/ request-body
The operation responds with an InspectionLimit object.
Modify request body inspection limit settings for a configuration
Beta. Modify request body inspection limit settings for a configuration. Inspect request bodies up to a certain size. In exceptional cases, you can change the default value to a set limit: 8, 16, or 32 kb. Contact your account team if you’d like to run this operation.
Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: InspectionLimit
Download schema: requestBodyDto.json
Request body:
{
"requestBodySizeInKB": 16
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: InspectionLimit
Download schema: requestBodyDto.json
Response body:
{
"requestBodySizeInKB": 16
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Modify the InspectionLimit object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ advanced-settings/ request-body
The operation responds with an InspectionLimit object.
List selectable hostnames
List the hostnames that a given configuration version has the ability to protect. Hostnames may show as error hosts when they aren’t currently available. For example, when a contract expires. Products: All.
GET /appsec/
Status 200
application/json
Object type: SelectableHostnames
Download schema: hostInfoInConfiguration.json
Response body:
{
"configId": 123,
"configVersion": 2,
"protectARLInclusionHost": true,
"availableSet": [
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 77653,
"configNameInProduction": "WAF Security File",
"hostname": "example.com"
},
{
"arlInclusion": true,
"activeInProduction": false,
"activeInStaging": true,
"configIdInProduction": 51074,
"configNameInProduction": "A PUBLIC CONFIG",
"hostname": "www.example.com"
},
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 65473,
"configNameInProduction": "Other Security Configuration",
"hostname": "www.example-123.com"
}
],
"errorSet": [
{
"hostname": "*.example.net",
"reason": "property is not active in either production or staging",
"reasonCode": 400
},
{
"hostname": "test-example.net",
"reason": "You don't have access to this property",
"reasonCode": 403
}
],
"selectedSet": [
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 11887,
"configNameInProduction": "Rbac Test Config",
"hostname": "m.example.com"
},
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": null,
"configNameInProduction": null,
"hostname": "m.example-123.com"
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ selectable-hostnames
The response is a SelectableHostnames object.
List selected hostnames
List the hostnames that the configuration version selects as candidates of protected hostnames, which you can use in match targets. Products: All.
GET /appsec/
Status 200
application/json
Object type: SelectedHostnames
Download schema: hostnameList.json
Response body:
{
"mode": "append",
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ selected-hostnames
The response is a SelectedHostnames object.
Modify selected hostnames
Update the list of selected hostnames for a configuration version. Now you can add an individual hostname to your selected hostnames list without passing the entire list plus the new hostname in this PUT object. Previously, you needed to pass every hostname in the PUT object or any hostnames not included would be deleted from the list. Products: All.
PUT /appsec/
Content-Type: application/json
Object type: SelectedHostnames
Download schema: hostnameList.json
Request body:
{
"mode": "append",
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
Status 200
application/json
Object type: SelectedHostnames
Download schema: hostnameList.json
Response body:
{
"mode": "append",
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Run List selectable hostnames to get a list of Set objects containing hostname information.
List selected hostnames to get a SelectedHostnames object.
Modify the SelectedHostnames object.
Make a PUT request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ selected-hostnames
The response reflects the modified SelectedHostnames object.
List evaluation hostnames
List the evaluation hostnames for a configuration version. Evaluation mode for hostnames is only available for Web Application Protector and App & API Protector. Run hostnames in evaluation mode to see how your configuration settings protect traffic for that hostname before adding a hostname directly to a live configuration. An evaluation period lasts four weeks unless you stop the evaluation. Once you begin, the hostnames you evaluate start responding to traffic as if they are your current hostnames. However, instead of taking an action the evaluation hostnames log which action they would have taken if they were your actively-protected hostnames and not a test. Products: Web Application Protector, App & API Protector.
GET /appsec/
Status 200
application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Response body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ selected-hostnames/ eval-hostnames
The operation responds with an EvalHostname object.
Modify evaluation hostnames
Update the list of hostnames you want to evaluate for a configuration version. Products: Web Application Protector, App & API Protector.
PUT /appsec/
Content-Type: application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Request body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Status 200
application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Response body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Modify the EvalHostname object.
PUT the object to
/appsec/.
The operation responds with an EvalHostname object.
Protect evaluation hostnames
Move hostnames you’re evaluating to active protection. When you move a hostname from the evaluation hostnames list, it’s added to your security policy as a protected hostname. You’ll see that hostname in the SelectedHostnames object the next time you run List selected hostnames. Products: Web Application Protector, App & API Protector.
PUT /appsec/
Content-Type: application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Request body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Status 200
application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Response body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Modify the EvalHostname object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ protect-eval-hostnames
The operation responds with an EvalHostname object.
List security policies
Returns a list of security policies available for the specified security configuration. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
| Optional query parameters | |||
detail |
Boolean | true |
When enabled, the response features a richer set of data than the default, which includes only the name and ID of each item. |
notMatched |
Boolean | false |
If true, returns all security policies in the configuration version that don’t have a match target. If false, returns all security policies in the configuration version. |
Status 200
application/json
Object type: SecurityPolicy
Download schema: securityPoliciesListDto.json
Response body:
{
"configId": 51074,
"version": 8,
"policies": [
{
"policyId": "NN3_61",
"policyName": "NN FW 3",
"hasRatePolicyWithApiKey": true,
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": true,
"applyApiConstraints": false,
"applySlowPostControls": false
}
},
{
"policyId": "NN_2",
"policyName": "NN FW 1",
"hasRatePolicyWithApiKey": false,
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": false,
"applyApiConstraints": false,
"applySlowPostControls": false
}
},
{
"policyId": "NN-2_3",
"policyName": "NN FW 2",
"hasRatePolicyWithApiKey": true,
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": false,
"applyApiConstraints": false,
"applySlowPostControls": false
}
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Optionally, enable the
notMatchedquery parameter to return all security policies in the configuration version which don’t have a match target.Optionally, enable the
detailquery parameter to see detailed information on the returned items.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies{?notMatched, detail}
Clone or create a security policy
Creates a new copy of an existing security policy or creates a new security policy from scratch when you don’t specify a policy to clone in the request. To create a new security policy, leave createFromSecurityPolicy empty in your request.
Products: Kona Site Defender, App & API Protector with the Advanced Security module.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: SecurityPolicyClone
Download schema: securityPolicyCloneRequest.json
Request body:
{
"createFromSecurityPolicy": "1_35752",
"policyName": "Open Cloned IV 2",
"policyPrefix": "bt17"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
Status 201
application/json
Object type: SecurityPolicy
Download schema: securityPolicyDto.json
Response body:
{
"configId": 77653,
"version": 144,
"policyId": "bt17_75755",
"policyName": "Open Cloned IV 2",
"policySecurityControls": {
"applyApiConstraints": true,
"applyApplicationLayerControls": true,
"applyBotmanControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Run List security policies and select a
policyId.Create a SecurityPolicyClone object.
Make a POST request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies
The response reflects the new SecurityPolicy object.
Get a security policy
Returns the specified security policy. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
policyId |
String | abc_123456 |
A unique identifier for a security policy. |
Status 200
application/json
Response body:
{
"configId": 77653,
"version": 144,
"policyId": "bt17_75755",
"policyName": "Open Cloned IV 2",
"policySecurityControls": {
"applyApiConstraints": true,
"applyApplicationLayerControls": true,
"applyBotmanControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}
The operation responds with a SecurityPolicy object.
Modify a security policy
Update the name of a specific security policy. Currently, you can only edit a security policy’s name with this operation, although other editable fields will be available in the future. For any changes to settings within a security policy, run the modify operation for that specific setting. For example, to update your IP/Geo settings, run Update the IP Geo Firewall settings. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Request body:
{
"policyName": "updated policy name"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
policyId |
String | abc_123456 |
A unique identifier for a security policy. |
Status 200
application/json
Response body:
{
"policyName": "updated policy name"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Optionally, run Get a security policy to isolate the specific security policy you want to update.
Modify a SecurityPolicy object from the response.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}
The operation responds with a SecurityPolicy object.
Remove a security policy
Delete the specified security policy. You can’t delete a security policy that is actively in use. Before you run this operation, create a new version of your security configuration and omit the policy you want to delete. Once you have activated your new configuration version, you can delete the security policy you omitted from the new version. One way to create a new configuration quickly is to run Clone a configuration version, remove the policy you want to delete, then PUT the edited object back to Modify a security policy. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
DELETE /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
policyId |
String | abc_123456 |
A unique identifier for a security policy. |
Status 204
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a DELETE request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}
Get HTTP header log settings
List a security policy’s settings for HTTP header logging. HTTP header logging is on by default, and in most cases you should leave it enabled. You can filter requests by header type, including or excluding requests with a specific header, or by cookie. This operation applies at the security policy level, and overrides the HTTP header log settings at the configuration level on a per-policy basis. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Download schema: policyHttpHeaderLoggingGetSuccess.json
Response body:
{
"override": true,
"allowSampling": true,
"cookies": {
"type": "all"
},
"customHeaders": {
"type": "exclude",
"values": [
"csdasdad"
]
},
"standardHeaders": {
"type": "only",
"values": [
"Accept"
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ advanced-settings/ logging
The operation responds with a HeaderLog object.
Modify HTTP header log settings
Enable, disable, or update HTTP header logging settings for a specific policy. This operation applies at the security policy level, and overrides the HTTP header log settings at the configuration level on a per-policy basis. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: HeaderLog
Download schema: policyHttpHeaderLoggingSetRequest.json
Request body:
{
"override": true,
"allowSampling": true,
"cookies": {
"type": "all"
},
"customHeaders": {
"type": "exclude",
"values": [
"csdasdad"
]
},
"standardHeaders": {
"type": "only",
"values": [
"Accept"
]
}
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Download schema: policyHttpHeaderLoggingSetSuccess.json
Response body:
{
"override": true,
"allowSampling": true,
"cookies": {
"type": "all"
},
"customHeaders": {
"type": "exclude",
"values": [
"csdasdad"
]
},
"standardHeaders": {
"type": "only",
"values": [
"Accept"
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Modify the HeaderLog object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ advanced-settings/ logging
The operation responds with a HeaderLog object.
Get Pragma settings for a security policy
Return the Pragma header’s excluded conditions. By default, the Pragma header debugging information is stripped from an operation’s response except in cases where you set excludeCondition. This operation applies at the security policy level. To modify Pragma header settings at the security configuration level, run List Pragma header settings for a configuration.
Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: PragmaHeader
Download schema: pragmaHeaderDto.json
Response body:
{
"action": "REMOVE",
"conditionOperator": "AND",
"excludeCondition": [
{
"type": "requestHeaderValueMatch",
"positiveMatch": true,
"header": "accept",
"valueCase": true,
"valueWildcard": true,
"value": [
"application/json",
"application/xml"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": false,
"value": [
"192.0.2.1",
"198.51.100.0/24"
]
},
{
"type": "networkList",
"positiveMatch": true,
"value": [
"123_3ALLOWEDIPS"
]
},
{
"type": "queryParamNameValueMatch",
"positiveMatch": true,
"name": "type",
"valueCase": true,
"valueWildcard": false,
"value": [
"type A",
"type B"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ advanced-settings/ pragma-header
The operation responds with a PragmaHeader object.
Modify Pragma settings for a security policy
Update the pragma header excluded conditions. By default, the Pragma header debugging information is stripped from an operation’s response except in cases where you set excludeCondition. To remove existing settings, submit your request with an empty payload {} at the top-level of an object. For example, submit "type": "{}" in the request body to remove the requestHeaderValueMatch from the excluded conditions. If you submit an empty payload for each member, you’ll clear all of your condition settings. To modify Pragma header settings at the security configuration level, run Modify Pragma header settings for a configuration.
Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: PragmaHeader
Download schema: pragmaHeaderDto.json
Request body:
{
"action": "REMOVE",
"conditionOperator": "AND",
"excludeCondition": [
{
"type": "requestHeaderValueMatch",
"positiveMatch": true,
"header": "accept",
"valueCase": true,
"valueWildcard": true,
"value": [
"application/json",
"application/xml"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": false,
"value": [
"192.0.2.1",
"198.51.100.0/24"
]
},
{
"type": "networkList",
"positiveMatch": true,
"value": [
"123_3ALLOWEDIPS"
]
},
{
"type": "queryParamNameValueMatch",
"positiveMatch": true,
"name": "type",
"valueCase": true,
"valueWildcard": false,
"value": [
"type A",
"type B"
]
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: PragmaHeader
Download schema: pragmaHeaderDto.json
Response body:
{
"action": "REMOVE",
"conditionOperator": "AND",
"excludeCondition": [
{
"type": "requestHeaderValueMatch",
"positiveMatch": true,
"header": "accept",
"valueCase": true,
"valueWildcard": true,
"value": [
"application/json",
"application/xml"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": false,
"value": [
"192.0.2.1",
"198.51.100.0/24"
]
},
{
"type": "networkList",
"positiveMatch": true,
"value": [
"123_3ALLOWEDIPS"
]
},
{
"type": "queryParamNameValueMatch",
"positiveMatch": true,
"name": "type",
"valueCase": true,
"valueWildcard": false,
"value": [
"type A",
"type B"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Modify the PragmaHeader response object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ advanced-settings/ pragma-header
The operation responds with the PragmaHeader object you modified.
Get request body inspection limit settings for a security policy
Beta. Return request body inspection limit settings for a security policy. Contact your account team if you’d like to run this operation. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: InspectionLimit
Download schema: requestBodyDto.json
Response body:
{
"requestBodySizeInKB": 16
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ advanced-settings/ request-body
The operation responds with an InspectionLimit object.
Modify request body size settings for a security policy
Beta. Update inspection settings for a security policy. Inspect request bodies up to a certain size. In exceptional cases, you can change the default value to a set limit: 8, 16, or 32 KB. Contact your account team if you’d like to run this operation.
Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: InspectionLimit
Download schema: requestBodyDto.json
Request body:
{
"requestBodySizeInKB": 16
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: InspectionLimit
Download schema: requestBodyDto.json
Response body:
{
"requestBodySizeInKB": 16
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run Get request body inspection limit settings for a security policy.
Modify the InspectionLimit object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ advanced-settings/ request-body
The operation responds with an InspectionLimit object.
List match targets
Returns match targets defined in the specified security configuration version. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
| Optional query parameters | |||
includeChildObjectName |
Boolean | true |
Specifies the name for network list and API endpoint objects to return in the response. |
policyId |
String | ancv_1234 |
Specifies the security policy to filter match targets. |
Status 200
application/json
Object type: MatchTarget
Download schema: matchTargetList.json
Response body:
{
"matchTargets": {
"apiTargets": [
{
"configId": 77653,
"configVersion": 25,
"sequence": 3,
"targetId": 1222208,
"type": "api",
"effectiveSecurityControls": {
"applyApiConstraints": true,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "ancv_1234"
},
"apis": [
{
"id": 1111,
"name": "API Endpoint 1"
},
{
"id": 2222,
"name": "API Endpoint 2"
}
],
"bypassNetworkLists": [
{
"name": "Example network list 11",
"id": "522825_CCCBYPASSLIST"
},
{
"name": "Example network list 12",
"id": "1622566_XXAABYPASSL"
}
]
}
],
"websiteTargets": [
{
"configId": 77653,
"configVersion": 25,
"defaultFile": "NO_MATCH",
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"sequence": 1,
"targetId": 1221059,
"type": "website",
"fileExtensions": [
"html"
],
"filePaths": [
"/*"
],
"hostnames": [],
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "ancv_1234"
},
"bypassNetworkLists": [
{
"name": "Example network list 21",
"id": "222825_AAABYPASSLIST"
},
{
"name": "Example network list 22",
"id": "2622566_YYAABYPASSL"
}
]
},
{
"configId": 77653,
"configVersion": 25,
"defaultFile": "NO_MATCH",
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"sequence": 2,
"targetId": 1222207,
"type": "website",
"bypassNetworkLists": [],
"fileExtensions": [],
"filePaths": [
"/path"
],
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "ancv_1234"
}
}
]
}
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Optionally, Run List security policies and select a
policyId.Optionally, enable the
includeChildObjectNamequery parameter to return the object name in the payload.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets{?policyId, includeChildObjectName}
Create a match target
Creates a new Match Target in the specified Configuration Version. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: MatchTarget
Download schema: matchTarget.json
Request body:
{
"type": "website",
"isNegativePathMatch": false,
"isNegativeFileExtensionMatch": true,
"defaultFile": "NO_MATCH",
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"securityPolicy": {
"policyId": "fwsf_32432"
},
"bypassNetworkLists": [
{
"id": "888518_ACDDCKERS"
},
{
"id": "1304427_AAXXBBLIST"
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 201
application/json
Object type: MatchTarget
Download schema: matchTarget.json
Response body:
{
"targetId": 112231,
"configId": 77653,
"configVersion": 25,
"type": "website",
"sequence": 1,
"isNegativePathMatch": false,
"isNegativeFileExtensionMatch": true,
"defaultFile": "NO_MATCH",
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"securityPolicy": {
"policyId": "fwsf_32432"
},
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"bypassNetworkLists": [
{
"name": "Test network list 1",
"id": "888518_ACDDCKERS"
},
{
"name": "Test network list 2",
"id": "1304427_AAXXBBLIST"
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Create a MatchTarget object.
Make a POST request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets
The response reflects the complete MatchTarget object.
Modify match target order
Updates the sequence of Match Targets in a configuration
version. The website and api match targets’ sequence
requires updates from separate requests by passing the type
attribute in the JSON request.
Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: MatchTargetOrder
Download schema: matchTargetsSequence.json
Request body:
{
"type": "website",
"targetSequence": [
{
"targetId": 1217289,
"sequence": 1
},
{
"targetId": 1217339,
"sequence": 2
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: MatchTargetOrder
Download schema: matchTargetsSequence.json
Response body:
{
"type": "website",
"targetSequence": [
{
"targetId": 1217289,
"sequence": 1
},
{
"targetId": 1217339,
"sequence": 2
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Run List match targets.
Craft a MatchTargetOrder object using the
targetIds.Make a PUT request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets/ sequence
The response reflects the modified MatchTargetOrder object.
Get a match target
Returns the specified match target. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
targetId |
Integer | 112231 |
A unique identifier for each match target. |
| Optional query parameters | |||
includeChildObjectName |
Boolean | true |
Specify whether to return the object name in the payload. |
Status 200
application/json
Object type: MatchTarget
Download schema: matchTarget.json
Response body:
{
"targetId": 112231,
"configId": 77653,
"configVersion": 25,
"type": "website",
"sequence": 1,
"isNegativePathMatch": false,
"isNegativeFileExtensionMatch": true,
"defaultFile": "NO_MATCH",
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"securityPolicy": {
"policyId": "fwsf_32432"
},
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"bypassNetworkLists": [
{
"name": "Test network list 1",
"id": "888518_ACDDCKERS"
},
{
"name": "Test network list 2",
"id": "1304427_AAXXBBLIST"
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Run List match targets and select a
targetId.Optionally, enable the
includeChildObjectNamequery parameter to return the object name in the payload.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets/ {targetId}{?includeChildObjectName}
The response is a MatchTarget object.
Modify a match target
Updates details about the specified match target. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: MatchTarget
Download schema: matchTarget.json
Request body:
{
"targetId": 112231,
"type": "website",
"isNegativePathMatch": false,
"isNegativeFileExtensionMatch": true,
"defaultFile": "NO_MATCH",
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"securityPolicy": {
"policyId": "fwsf_32432"
},
"bypassNetworkLists": [
{
"id": "888518_ACDDCKERS"
},
{
"id": "1304427_AAXXBBLIST"
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
targetId |
Integer | 112231 |
A unique identifier for each match target. |
Status 200
application/json
Object type: MatchTarget
Download schema: matchTarget.json
Response body:
{
"targetId": 112231,
"configId": 77653,
"configVersion": 25,
"type": "website",
"sequence": 1,
"isNegativePathMatch": false,
"isNegativeFileExtensionMatch": true,
"defaultFile": "NO_MATCH",
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"securityPolicy": {
"policyId": "fwsf_32432"
},
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"bypassNetworkLists": [
{
"name": "Test network list 1",
"id": "888518_ACDDCKERS"
},
{
"name": "Test network list 2",
"id": "1304427_AAXXBBLIST"
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Run List match targets and select a
targetId.Run Get a match target.
Modify the MatchTarget object.
Make a PUT request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets/ {targetId}
The response reflects the modified MatchTarget object.
Remove a match target
Deletes the specified match target. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
DELETE /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
targetId |
Integer | 112231 |
A unique identifier for each match target. |
Status 204
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Run List match targets and select a
targetId.Make a DELETE request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ match-targets/ {targetId}
List custom deny actions
Returns custom deny actions for a specific security configuration version. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
| Optional query parameters | |||
search |
String | 234 |
Filter results by name, description, or ID. You can match on substrings. |
Status 200
application/json
Download schema: customDenyList.json
Response body:
{
"customDenyList": [
{
"description": "Custom Deny Example 1",
"name": "Custom Deny Example 1",
"id": "deny_custom_622918",
"parameters": [
{
"displayName": "Prevent browser caching",
"name": "prevent_browser_cache",
"value": "true"
},
{
"displayName": "Response body content",
"name": "response_body_content",
"value": "body comes here2222."
},
{
"displayName": "Response content type",
"name": "response_content_type",
"value": "application/json"
},
{
"displayName": "Response status code",
"name": "response_status_code",
"value": "403"
}
]
},
{
"description": "Custom Deny Example 2",
"name": "Custom Deny Example 2",
"id": 622919,
"parameters": [
{
"displayName": "Prevent browser caching",
"name": "prevent_browser_cache",
"value": "true"
},
{
"displayName": "Response body content",
"name": "response_body_content",
"value": "response body."
},
{
"displayName": "Response content type",
"name": "response_content_type",
"value": "application/json"
},
{
"displayName": "Response status code",
"name": "response_status_code",
"value": "403"
}
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Optionally, search for any name, description, or ID. Partial searches are allowed.
Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ custom-deny{?search}
The operation responds with a CustomDeny array.
Create a custom deny action
Create a new custom deny action for a specific configuration version. Products: All.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: CustomDeny
Download schema: customDeny.json
Request body:
{
"description": "test description",
"name": "new custom deny",
"parameters": [
{
"displayName": "Prevent browser caching",
"name": "prevent_browser_cache",
"value": "true"
},
{
"displayName": "Response body content",
"name": "response_body_content",
"value": "json desc"
},
{
"displayName": "Response content type",
"name": "response_content_type",
"value": "application/xml"
},
{
"displayName": "Response status code",
"name": "response_status_code",
"value": "403"
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 201
application/json
Object type: CustomDeny
Download schema: customDeny.json
Response body:
{
"description": "test description",
"name": "new custom deny",
"id": "deny_custom_622919",
"parameters": [
{
"displayName": "Prevent browser caching",
"name": "prevent_browser_cache",
"value": "true"
},
{
"displayName": "Response body content",
"name": "response_body_content",
"value": "json body"
},
{
"displayName": "Response content type",
"name": "response_content_type",
"value": "application/xml"
},
{
"displayName": "Response status code",
"name": "response_status_code",
"value": "403"
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Build a new CustomDeny object.
POST the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ custom-deny
The operation responds with a CustomDeny object.
Get a custom deny action
Returns the specified custom deny action. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
customDenyId |
String | 112231 |
A unique identifier for each custom deny action. |
Status 200
application/json
Object type: CustomDeny
Download schema: customDeny.json
Response body:
{
"description": "test description",
"name": "new custom deny",
"id": "deny_custom_622919",
"parameters": [
{
"displayName": "Prevent browser caching",
"name": "prevent_browser_cache",
"value": "true"
},
{
"displayName": "Response body content",
"name": "response_body_content",
"value": "json body"
},
{
"displayName": "Response content type",
"name": "response_content_type",
"value": "application/xml"
},
{
"displayName": "Response status code",
"name": "response_status_code",
"value": "403"
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List custom deny actions, select and
idvalue, and store it as acustomDenyId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ custom-deny/ {customDenyId}
The operation responds with a CustomDeny object.
Modify a custom deny action
Update details for a specific custom deny action. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: CustomDeny
Download schema: customDeny.json
Request body:
{
"description": "test description",
"name": "new custom deny",
"id": 622919,
"parameters": [
{
"displayName": "Prevent browser caching",
"name": "prevent_browser_cache",
"value": "true"
},
{
"displayName": "Response body content",
"name": "response_body_content",
"value": "json desc"
},
{
"displayName": "Response content type",
"name": "response_content_type",
"value": "application/xml"
},
{
"displayName": "Response status code",
"name": "response_status_code",
"value": "403"
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
customDenyId |
String | 112231 |
A unique identifier for each custom deny action. |
Status 200
application/json
Object type: CustomDeny
Download schema: customDeny.json
Response body:
{
"description": "test description",
"name": "new custom deny",
"id": "deny_custom_622919",
"parameters": [
{
"displayName": "Prevent browser caching",
"name": "prevent_browser_cache",
"value": "true"
},
{
"displayName": "Response body content",
"name": "response_body_content",
"value": "json body"
},
{
"displayName": "Response content type",
"name": "response_content_type",
"value": "application/xml"
},
{
"displayName": "Response status code",
"name": "response_status_code",
"value": "403"
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List custom deny actions, select and
idvalue, and store it as acustomDenyId.Modify the CustomDeny object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ custom-deny/ {customDenyId}
The operation responds with a CustomDeny object.
Remove a custom deny action
Delete a custom deny action. You can’t delete a custom deny action that is actively in use. To delete the custom deny action, first activate an older configuration version or create a new version without the policy in place. Products: All.
DELETE /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
customDenyId |
String | 112231 |
A unique identifier for each custom deny action. |
Status 204
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List custom deny actions, select and
idvalue, and store it as acustomDenyId.Make a DELETE request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ custom-deny/ {customDenyId}
List failover hostnames
Get a list of the failover hostnames in a configuration. Products: All.
GET /appsec/
Status 200
application/json
Object type: SelectedHostnames
Download schema: hostnameList.json
Response body:
{
"mode": "append",
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
Get the IP/Geo Firewall settings
Lists which network lists are used in the IP/Geo Firewall settings. In Control Center this method is called mode. In this API the method is called blocked. The response shows blocked and allowed IPs depending on which network lists you include and which version of the mode you choose. If you want to add or remove IP addresses from the network lists, use the Network Lists API. Note that subnet controls are a legacy item in Control Center and are not available through this API.
Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for each security policy. |
Status 200
application/json
Download schema: ipGeoFirewallGetSuccess.json
Response body:
{
"block": "blockSpecificIPGeo",
"geoControls": {
"blockedIPNetworkLists": {
"networkList": [
"72138_TEST1"
]
}
},
"ipControls": {
"allowedIPNetworkLists": {
"networkList": [
"56921_TEST"
]
},
"blockedIPNetworkLists": {
"networkList": [
"53712_TESTLIST123"
]
}
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ ip-geo-firewall
The operation responds with an IPGeoFirewall object.
Update the IP Geo Firewall settings
Update the method and which network lists to use for IP/Geo firewall blocking. In Control Center this method is called mode. In this API the method is called blocked. Use blockSpecificIPGeo to block any IPs, geographies, or network lists you choose with this setting. Use blockAllTrafficExceptAllowedIPs to allow specific IPs or geographies that you choose to let through while the rest remain blocked. IPs you want to allow are contained in the allowedIPNetworkLists. It’s important to verify the IPs you block are the ones you intend to block as it’s easy to block wanted traffic by accident. Note that subnet controls are a legacy item in Control Center and are not available through this API.
Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: IPGeoFirewall
Download schema: ipGeoFirewallSetRequest.json
Request body:
{
"block": "blockSpecificIPGeo",
"geoControls": {
"blockedIPNetworkLists": {
"networkList": [
"72138_TEST1"
]
}
},
"ipControls": {
"allowedIPNetworkLists": {
"networkList": [
"56921_TEST"
]
},
"blockedIPNetworkLists": {
"networkList": [
"53712_TESTLIST123"
]
}
}
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for each security policy. |
Status 200
application/json
Download schema: ipGeoFirewallSetSuccess.json
Response body:
{
"block": "blockSpecificIPGeo",
"geoControls": {
"blockedIPNetworkLists": {
"networkList": [
"72138_TEST1"
]
}
},
"ipControls": {
"allowedIPNetworkLists": {
"networkList": [
"56921_TEST"
]
},
"blockedIPNetworkLists": {
"networkList": [
"53712_TESTLIST123"
]
}
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Modify the IPGeoFirewall object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ ip-geo-firewall
The operation responds with an IPGeoFirewall object.
Get the bypass network lists settings
Lists which network lists are used in the bypass network lists settings. If you want to add or remove IP addresses from the network lists, use the Network Lists API. Products: Web Application Protector.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Download schema: bypassNetworklists.json
Response body:
{
"networkLists": [
{
"name": "Test network list 1",
"id": "888518_ACDDCKERS"
},
{
"name": "Test network list 2",
"id": "1304427_AAXXBBLIST"
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ bypass-network-lists
The operation responds with a BypassNetworkList object.
Modify the bypass network lists settings
Update which network lists to use in the bypass network lists settings. If you want to add or remove IP addresses from the network lists, use the Network Lists API. Products: Web Application Protector.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: BypassNetworkList
Download schema: bypassNetworklists-put.json
Request body:
{
"networkLists": [
"1304427_AAXXBBLIST",
"888518_ACDDCKERS"
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: BypassNetworkList
Download schema: bypassNetworklists-put.json
Response body:
{
"block": "blockSpecificIPGeo",
"geoControls": {
"blockedIPNetworkLists": {
"networkList": [
"72138_TEST1"
]
}
},
"ipControls": {
"allowedIPNetworkLists": {
"networkList": [
"56921_TEST"
]
},
"blockedIPNetworkLists": {
"networkList": [
"53712_TESTLIST123"
]
}
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Modify the BypassNetworkList object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ bypass-network-lists
The operation responds with a BypassNetworkList object.
List rate policies
Returns rate policies for a specific security configuration version. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: RatePolicy
Download schema: ratePoliciesList.json
Response body:
{
"ratePolicies": [
{
"id": 484616,
"matchType": "path",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": false,
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"createDate": "2016-07-22 18:57:08.0",
"updateDate": "2017-02-22 00:05:41.0",
"used": false,
"hostnames": [
"www.myexamplehostname.org"
],
"path": {
"positiveMatch": true,
"values": [
"/login/",
"/path/"
]
},
"fileExtensions": {
"positiveMatch": false,
"values": [
"3g2",
"3gp",
"aif",
"aiff",
"au",
"avi",
"bin",
"bmp",
"cab"
]
},
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "IpAddressCondition",
"values": [
"203.0.113.0"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
]
},
{
"id": 484617,
"matchType": "api",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv": false,
"createDate": "2016-07-22 18:57:08.0",
"updateDate": "2017-02-22 00:05:41.0",
"used": false,
"hostnames": [
"www.soasta.com"
],
"fileExtensions": {
"positiveMatch": false,
"values": [
"avi",
"bmp",
"jpg"
]
},
"apiSelectors": [
{
"apiDefinitionId": 602,
"undefinedResources": false,
"definedResources": false,
"resourceIds": [
748
]
}
],
"additionalMatchOptions": [
{
"positiveMatch": false,
"type": "NetworkListCondition",
"values": [
"18198_DSWINTERNALTESTIPADDRES",
"7054_FEOSERVERS"
]
},
{
"positiveMatch": false,
"type": "UserAgentCondition",
"values": [
"soasta",
"MovableInk"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
],
"bodyParameters": [
{
"name": "Country",
"positiveMatch": true,
"valueInRange": false,
"values": [
"USA",
"Canada"
]
}
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions, select a
versionvalue, and store it as aversionNumberpath parameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ rate-policies
The operation responds with an array of RatePolicy objects.
Create a rate policy
Beta. Create a new rate policy for a specific configuration version. Now you can match on defined or undefined resources. If you’re setting a match for either resource type, both definedResources and undefinedResources must be present in the request object or the request is considered incomplete. When true, match on any defined resources without passing a resourceId. When false, you’ll need to pass a resourceId. If you pass definedResources and undefinedResources with empty values, they default to false. You can omit both resources and use this operation without these new match criteria. Contact your account team if you’d like to match on definedResources or undefinedResources.
Products: All.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: RatePolicy
Download schema: ratePolicy.json
Request body:
{
"matchType": "path",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": false,
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"hostnames": [
"www.myexamplehostname.org"
],
"path": {
"positiveMatch": true,
"values": [
"/login/",
"/path/"
]
},
"fileExtensions": {
"positiveMatch": false,
"values": [
"3g2",
"3gp",
"aif",
"aiff",
"au",
"avi",
"bin",
"bmp",
"cab"
]
},
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "IpAddressCondition",
"values": [
"203.0.113.0"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 201
application/json
Object type: RatePolicy
Download schema: ratePolicy.json
Response body:
{
"id": 484616,
"matchType": "path",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": false,
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"createDate": "2016-07-22 18:57:08.0",
"updateDate": "2017-02-22 00:05:41.0",
"used": false,
"hostnames": [
"www.myexamplehostname.org"
],
"path": {
"positiveMatch": true,
"values": [
"/login/",
"/path/"
]
},
"fileExtensions": {
"positiveMatch": false,
"values": [
"3g2",
"3gp",
"aif",
"aiff",
"au",
"avi",
"bin",
"bmp",
"cab"
]
},
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "IpAddressCondition",
"values": [
"203.0.113.0"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions, select a
versionvalue, and store it as aversionNumberpath parameter.Build a new RatePolicy object.
POST the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ rate-policies
The operation responds with a RatePolicy object.
Get a rate policy
Returns the specified rate policy. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
ratePolicyId |
Integer | 112231 |
A unique identifier for each rate policy. |
Status 200
application/json
Object type: RatePolicy
Download schema: ratePolicy.json
Response body:
{
"id": 484616,
"matchType": "path",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": false,
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"createDate": "2016-07-22 18:57:08.0",
"updateDate": "2017-02-22 00:05:41.0",
"used": false,
"hostnames": [
"www.myexamplehostname.org"
],
"path": {
"positiveMatch": true,
"values": [
"/login/",
"/path/"
]
},
"fileExtensions": {
"positiveMatch": false,
"values": [
"3g2",
"3gp",
"aif",
"aiff",
"au",
"avi",
"bin",
"bmp",
"cab"
]
},
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "IpAddressCondition",
"values": [
"203.0.113.0"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions, select a
versionvalue, and store it as aversionNumberpath parameter.Run List rate policies, select a an
idvalue, and store it as aratePolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ rate-policies/ {ratePolicyId}
The operation responds with a RatePolicy object.
Modify a rate policy
Beta. Update details for a specific rate policy. Now you can match on defined or undefined resources. If you’re setting a match for either resource type, both definedResources and undefinedResources must be present in the request object or the request is considered incomplete. When true, match on any defined resources without passing a resourceId. When false, you’ll need to pass a resourceId. If you pass definedResources and undefinedResources with empty values, they default to false. You can omit both resources and use this operation without these new match criteria. Contact your account team if you’d like to match on definedResources or undefinedResources.
Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: RatePolicy
Download schema: ratePolicy.json
Request body:
{
"id": 2234,
"matchType": "path",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": false,
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"hostnames": [
"www.myexamplehostname.org"
],
"path": {
"positiveMatch": true,
"values": [
"/login/",
"/path/"
]
},
"fileExtensions": {
"positiveMatch": false,
"values": [
"3g2",
"3gp",
"aif",
"aiff",
"au",
"avi",
"bin",
"bmp",
"cab"
]
},
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "IpAddressCondition",
"values": [
"203.0.113.0"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
ratePolicyId |
Integer | 112231 |
A unique identifier for each rate policy. |
Status 200
application/json
Object type: RatePolicy
Download schema: ratePolicy.json
Response body:
{
"id": 484616,
"matchType": "path",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": false,
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"createDate": "2016-07-22 18:57:08.0",
"updateDate": "2017-02-22 00:05:41.0",
"used": false,
"hostnames": [
"www.myexamplehostname.org"
],
"path": {
"positiveMatch": true,
"values": [
"/login/",
"/path/"
]
},
"fileExtensions": {
"positiveMatch": false,
"values": [
"3g2",
"3gp",
"aif",
"aiff",
"au",
"avi",
"bin",
"bmp",
"cab"
]
},
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "IpAddressCondition",
"values": [
"203.0.113.0"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
]
}
Run List configurations, select an
idvalue and store it as aconfigIdparameter.Run List configuration versions, select a
versionvalue, and store it as aversionNumberpath parameter.Run List rate policies, select a an
idvalue, and store it as aratePolicyIdparameter.Run Get a rate policy.
Modify the RatePolicy response object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ rate-policies/ {ratePolicyId}
The operation responds with a RatePolicy object.
Remove a rate policy
Delete the specified rate policy. You can’t delete a rate policy that is actively in use. To delete the rate policy, first activate an older configuration version or create a new version without the policy in place. Products: All.
DELETE /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
ratePolicyId |
Integer | 112231 |
A unique identifier for each rate policy. |
Status 204
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions, select a
versionvalue, and store it as aversionNumberpath parameter.Run List rate policies, select a an
idvalue, and store it as aratePolicyIdparameter.Make a DELETE request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ rate-policies/ {ratePolicyId}
List rate policy actions
Returns a list of all rate policies currently in use with the actions each policy takes when conditions are met. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | WC_3 |
A unique identifier for each security policy. |
Status 200
application/json
Object type: RatePolicyAction
Download schema: ratePolicyActions.json
Response body:
{
"ratePolicies": [
{
"id": 102718,
"ipv4Action": "alert",
"ipv6Action": "none"
},
{
"id": 102719,
"ipv4Action": "deny",
"ipv6Action": "deny"
},
{
"id": 102720,
"ipv4Action": "alert",
"ipv6Action": "deny"
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions, select a
versionvalue, and store it as aversionNumberpath parameter.Run List rate policies, select an
idvalue, and store it as aratePolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rate-policies
The operation responds with a CustomRuleActions object.
Modify a rate policy action
Updates the actions in a rate policy. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: RatePolicyAction
Download schema: updateRatePolicyAction.json
Request body:
{
"ipv4Action": "alert",
"ipv6Action": "alert"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | WC_3 |
A unique identifier for each security policy. |
ratePolicyId |
Integer | 661699 |
A unique identifier for each rate policy. |
Status 200
application/json
Object type: RatePolicyAction
Download schema: updateRatePolicyAction.json
Response body:
{
"ipv4Action": "alert",
"ipv6Action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions, select a
versionvalue, and store it as aversionNumberpath parameter.Run List security policies, select an
idvalue and save it as apolicyIdparameter.Run List rate policies, select a an
idvalue, and store it as aratePolicyIdparameter.Modify the RatePolicy response object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rate-policies/ {ratePolicyId}
The operation responds with a RatePolicy object.
Get slow POST protection settings
Get slow POST protection settings for a specific configuration. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 1 |
A unique identifier for each version of a configuration. |
policyId |
String | WC_3 |
A unique identifier for each security policy. |
Status 200
application/json
Object type: SlowPostProtection
Download schema: slowPostProtectionDto.json
Response body:
{
"action": "alert",
"slowRateThreshold": {
"rate": 10,
"period": 50
},
"durationThreshold": {
"timeout": 5
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions, select a
versionvalue, and store it as aversionNumberpath parameter.Run List security policies, select an
idvalue and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ slow-post
The response is a SlowPostProtection object.
Modify slow POST protection settings
Update slow POST protection settings for a specific configuration. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: SlowPostProtection
Download schema: slowPostProtectionDto.json
Request body:
{
"action": "alert",
"slowRateThreshold": {
"rate": 10,
"period": 50
},
"durationThreshold": {
"timeout": 5
}
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 1 |
A unique identifier for each version of a configuration. |
policyId |
String | WC_3 |
A unique identifier for each security policy. |
Status 200
application/json
Object type: SlowPostProtection
Download schema: slowPostProtectionDto.json
Response body:
{
"action": "alert",
"slowRateThreshold": {
"rate": 10,
"period": 50
},
"durationThreshold": {
"timeout": 5
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions, select a
versionvalue, and store it as aversionNumberpath parameter.Run List security policies, select an
idvalue and save it as apolicyIdparameter.Modify the SlowPostProtection response object.
PUT the object back to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ slow-post
Get the current mode
When using Web Application Firewall in your security policy, this mode conveys how you’re planning to keep the rules up to date, either KRS for manual updates or AAG for automatic updates. This operation returns which mode your rules are currently set to.
Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: Mode
Download schema: securityPolicyGetModeSuccess.json
Response body:
{
"mode": "KRS",
"current": "KRS 1.0 (Apr 20, 2020)",
"eval": "disabled"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ mode
The operation responds with a Mode object.
Modify the mode
The mode you set determines how your rule sets are updated. Use KRS mode to update the rule sets manually, or AAG to have them update automatically.
Products: Kona Site Defender, App & API Protector with the Advanced Security module, Adaptive Security Engine.
If you’re using Adaptive Security Engine, use ASE_AUTO to update the rules automatically, or ASE_MANUAL to update them yourself.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: Mode
Download schema: securityPolicySetModeRequest.json
Request body:
{
"mode": "KRS"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: Mode
Download schema: securityPolicySetModeSuccess.json
Response body:
{
"mode": "KRS",
"current": "KRS 1.0 (Apr 20, 2020)"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run Get the current mode.
Modify the Mode object. Use
KRSfor manual updates andAAGfor automatic updates.PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ mode
The operation responds with a Mode object.
List attack groups
Return a list of attack groups with their associated actions. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: AttackGroup
Download schema: securityPolicyGetAttackGroupsActionsSuccess.json
Response body:
{
"attackGroupActions": [
{
"action": "deny",
"group": "TOOL"
},
{
"action": "none",
"group": "PROTOCOL"
},
{
"action": "alert",
"group": "SQL"
},
{
"action": "deny",
"group": "XSS"
},
{
"action": "deny",
"group": "LFI"
},
{
"action": "deny",
"group": "RFI"
},
{
"action": "deny",
"group": "CMDI"
},
{
"action": "none",
"group": "PLATFORM"
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ attack-groups
The operation responds with an AttackGroup object.
Get the action for an attack group
Currently the only member in the response object is action, which displays the action for the attack group.
Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
attackGroupId |
String | CMD |
A unique identifier for each attack group. |
Status 200
application/json
Object type: AttackGroup
Download schema: securityPolicyGetAttackGroupActionSuccess.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List attack groups, select a
groupvalue and save it as theattackGroupIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ attack-groups/ {attackGroupId}
The operation responds with an AttackGroup object.
Modify the action for an attack group
Update what action to take when an attack group’s rule triggers. Use alert to record the trigger of the event, deny to block the request, or none to take no action. Currently the only member in the attack group object is action.
Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: AttackGroup
Download schema: securityPolicySetAttackGroupActionRequest.json
Request body:
{
"action": "alert"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
attackGroupId |
String | CMD |
A unique identifier for each attack group. |
Status 200
application/json
Download schema: securityPolicySetAttackGroupActionSuccess.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List attack groups, select a
groupvalue and save it as theattackGroupIdparameter.Run Get an attack group.
Modify the AttackGroup object. Use
alertto record the trigger of the event,denyto block the request, ornoneto take no action.PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ attack-groups/ {attackGroupId}
The operation responds with an AttackGroup object.
Get the exceptions of an attack group
List an attack group’s exceptions. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
attackGroupId |
String | CMD |
A unique identifier for each attack group. |
Status 200
application/json
Object type: Exception
Download schema: securityPolicyGetConditionExceptionSuccess.json
Response body:
{
"advancedExceptions": {
"specificHeaderCookieParamXmlOrJsonNames": [
{
"selector": "REQUEST_HEADERS_NAMES",
"wildcard": true,
"criteria": [
{
"hostnames": [
"www.host.com"
],
"paths": [
"/*"
]
}
]
},
{
"selector": "REQUEST_HEADERS",
"wildcard": false,
"names": [
"header2"
],
"criteria": [
{
"hostnames": [
"ALL"
],
"names": [
"header1"
],
"paths": [
"/orders"
]
}
]
},
{
"selector": "ARGS_NAMES",
"wildcard": true,
"criteria": [
{
"hostnames": [
"ALL"
],
"paths": [
"/*"
]
}
]
},
{
"selector": "ARGS",
"wildcard": true,
"names": [
"param-name"
]
},
{
"selector": "JSON_NAMES",
"wildcard": true
},
{
"selector": "JSON_PAIRS",
"wildcard": true,
"names": [
"json1"
]
},
{
"selector": "REQUEST_COOKIES_NAMES",
"wildcard": true
},
{
"selector": "REQUEST_COOKIES",
"wildcard": true,
"names": [
"cookie1",
"cookie2"
]
},
{
"selector": "REQUEST_BODY",
"wildcard": true
},
{
"selector": "REQBODY_PROCESSOR_ERROR",
"wildcard": true
},
{
"selector": "FILES_NAMES",
"wildcard": true
},
{
"selector": "REQUEST_PROTOCOL",
"wildcard": true
},
{
"selector": "REQUEST_METHOD",
"wildcard": true
},
{
"selector": "REQUEST_URI",
"wildcard": true
},
{
"selector": "QUERY_STRING",
"wildcard": true
},
{
"selector": "REQUEST_FILENAME",
"wildcard": true
},
{
"selector": "REQUEST_PATH_SEGMENT",
"wildcard": true
}
],
"headerCookieOrParamValues": [
{
"values": [
"header1",
"cookie1",
"param1"
]
}
],
"specificHeaderCookieOrParamNameValue": [
{
"selector": "REQUEST_HEADERS",
"wildcard": true,
"namesValues": [
{
"names": [
"header1"
],
"values": [
"value1"
]
}
]
},
{
"selector": "ARGS",
"wildcard": true,
"namesValues": [
{
"names": [
"param-name"
],
"values": [
"param-value"
]
}
]
},
{
"selector": "JSON_PAIRS",
"wildcard": true,
"namesValues": [
{
"names": [
"json-param1"
],
"values": [
"json-value1"
]
}
]
},
{
"selector": "REQUEST_COOKIES",
"wildcard": true,
"namesValues": [
{
"names": [
"cookie-name"
],
"values": [
"cookie1"
]
}
]
}
],
"conditions": [
{
"type": "filenameMatch",
"positiveMatch": true,
"filenames": [
"*.aspx",
"*.js"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"paths": [
"/catalog"
]
}
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List attack groups, select a
groupvalue and save it as theattackGroupIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ attack-groups/ {attackGroupId}/ condition-exception
The operation responds with an Exception object.
Modify the exceptions of an attack group
Update an attack group exceptions. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: Exception
Download schema: securityPolicySetConditionExceptionRequest.json
Request body:
{
"exception": {
"specificHeaderCookieParamXmlOrJsonNames": [
{
"selector": "REQUEST_HEADERS_NAMES",
"wildcard": true
},
{
"selector": "REQUEST_HEADERS",
"wildcard": false,
"names": [
"header2",
"header1"
]
},
{
"selector": "REQUEST_COOKIES_NAMES",
"wildcard": true
},
{
"selector": "REQUEST_COOKIES",
"wildcard": true,
"names": [
"cookie1",
"cookie2"
]
},
{
"selector": "ARGS_NAMES",
"wildcard": true
},
{
"selector": "ARGS",
"wildcard": true,
"names": [
"param-name"
]
},
{
"selector": "JSON_NAMES",
"wildcard": true
},
{
"selector": "JSON_PAIRS",
"wildcard": true,
"names": [
"json1"
]
},
{
"selector": "REQUEST_PROTOCOL",
"wildcard": true
},
{
"selector": "REQUEST_METHOD",
"wildcard": true
},
{
"selector": "REQUEST_URI",
"wildcard": true
},
{
"selector": "QUERY_STRING",
"wildcard": true
},
{
"selector": "REQUEST_FILENAME",
"wildcard": true
},
{
"selector": "REQUEST_PATH_SEGMENT",
"wildcard": true
},
{
"selector": "REQUEST_BODY",
"wildcard": true
},
{
"selector": "REQBODY_PROCESSOR_ERROR",
"wildcard": true
},
{
"selector": "FILES_NAMES",
"wildcard": true
}
]
}
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
attackGroupId |
String | CMD |
A unique identifier for each attack group. |
Status 200
application/json
Object type: Exception
Download schema: securityPolicySetConditionExceptionSuccess.json
Response body:
{
"exception": {
"specificHeaderCookieParamXmlOrJsonNames": [
{
"selector": "REQUEST_HEADERS_NAMES",
"wildcard": true
},
{
"selector": "REQUEST_HEADERS",
"wildcard": false,
"names": [
"header2",
"header1"
]
},
{
"selector": "REQUEST_COOKIES_NAMES",
"wildcard": true
},
{
"selector": "REQUEST_COOKIES",
"wildcard": true,
"names": [
"cookie1",
"cookie2"
]
},
{
"selector": "ARGS_NAMES",
"wildcard": true
},
{
"selector": "ARGS",
"wildcard": true,
"names": [
"param-name"
]
},
{
"selector": "JSON_NAMES",
"wildcard": true
},
{
"selector": "JSON_PAIRS",
"wildcard": true,
"names": [
"json1"
]
},
{
"selector": "REQUEST_PROTOCOL",
"wildcard": true
},
{
"selector": "REQUEST_METHOD",
"wildcard": true
},
{
"selector": "REQUEST_URI",
"wildcard": true
},
{
"selector": "QUERY_STRING",
"wildcard": true
},
{
"selector": "REQUEST_FILENAME",
"wildcard": true
},
{
"selector": "REQUEST_PATH_SEGMENT",
"wildcard": true
},
{
"selector": "REQUEST_BODY",
"wildcard": true
},
{
"selector": "REQBODY_PROCESSOR_ERROR",
"wildcard": true
},
{
"selector": "FILES_NAMES",
"wildcard": true
}
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List attack groups, select a
groupvalue and save it as theattackGroupIdparameter.Modify the Exception object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ attack-groups/ {attackGroupId}/ condition-exception
The operation responds with an Exception object.
List rules
Returns the action taken for each rule in a policy. The action occurs when the rules are triggered by a request. These are not the same rules as Custom Rules that you configure yourself. These rules are maintained by Akamai. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: Action
Download schema: securityPolicyGetRuleActionsSuccess.json
Response body:
{
"ruleActions": [
{
"action": "alert",
"id": 699989
},
{
"action": "alert",
"id": 699990
},
{
"action": "alert",
"id": 699991
},
{
"action": "alert",
"id": 699992
},
{
"action": "alert",
"id": 699993
},
{
"action": "alert",
"id": 699994
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules
The operation responds with an Action array.
Upgrade KRS ruleset
Upgrade to the most recent version of the KRS rule set. Akamai periodically updates these rules to keep protections current. However, the rules you use in your security policies do not automatically upgrade to the latest version when setting mode to KRS. These rules do update automatically when you have mode set to AAG. Before you upgrade, run Get upgrade details to see which rules have changed. If you want to test how these rules would operate with live traffic before committing to the upgrade, run them in evaluation mode. This applies to KRS rules only and does not allow you to make any changes to the rules themselves. The response is the same as the mode response.
Products: Kona Site Defender, App & API Protector with the Advanced Security module, Adaptive Security Engine.
If you’re already using or want to switch from KRS to Adaptive Security Engine (ASE), pass "upgrade": true, and "mode": "ASE_AUTO" or ASE_MANUAL in your request. If you’re using Kona Rule Sets, continue to pass only the upgrade value.
Note that this operation does not grant access to Adaptive Security Engine. It updates the ASE protections if you already have ASE on your contract. Once you switch to ASE protections, you can’t go back to KRS rules. Contact your account team if you want to add ASE to your contract.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Request body:
{
"upgrade": true
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: Mode
Download schema: securityPolicyGetModeSuccess.json
Response body:
{
"mode": "KRS",
"current": "KRS 1.0 (Apr 20, 2020)",
"eval": "disabled"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Build the request object. The request object is
"upgrade" : true.PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules The operation responds with an Upgrade object.
Get the action for a rule
Return the action a rule takes when triggered. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
ruleId |
Integer | 699989 |
A unique identifier for rule. |
Status 200
application/json
Download schema: securityPolicyGetRuleActionSuccess.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List rules, select an
idvalue, and save it as aruleId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules/ {ruleId}
The operation responds with an Action object.
Modify the action for a rule
Update what action a rule takes when it’s triggered. Use alert to record the trigger of the event, deny to block the request, or none to take no action.
Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Download schema: securityPolicySetRuleActionRequest.json
Request body:
{
"action": "alert"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
ruleId |
Integer | 699989 |
A unique identifier for rule. |
Status 200
application/json
Download schema: securityPolicySetRuleActionSuccess.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List rules, select an
idvalue, and save it as aruleId.Run Get a rule’s action.
Modify the Action object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules/ {ruleId}
The operation responds with a Action object.
Get the conditions and exceptions of a rule
List a KRS rule’s conditions and exceptions. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
ruleId |
Integer | 699989 |
A unique identifier for rule. |
Status 200
application/json
Object type: Exception
Download schema: securityPolicyGetConditionExceptionSuccess.json
Response body:
{
"exception": {
"headerCookieOrParamValues": [
"test"
],
"specificHeaderCookieOrParamNameValue": {
"name": "test",
"selector": "REQUEST_HEADERS",
"value": "test"
},
"specificHeaderCookieOrParamPrefix": {
"prefix": "test",
"selector": "REQUEST_HEADERS"
},
"specificHeaderCookieOrParamNames": [
{
"selector": "REQUEST_HEADERS",
"names": [
"test"
]
},
{
"selector": "REQUEST_COOKIES",
"names": [
"test"
]
},
{
"selector": "ARGS",
"names": [
"test"
]
},
{
"selector": "JSON_PAIRS",
"names": [
"test"
]
},
{
"selector": "XML_PAIRS",
"names": [
"test"
]
}
]
},
"conditions": [
{
"type": "extensionMatch",
"positiveMatch": true,
"extensions": [
"test"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"filenames": [
"test2"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"hosts": [
"www.test.com"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": true,
"ips": [
"192.0.2.34"
]
},
{
"type": "uriQueryMatch",
"caseSensitive": true,
"name": "test3",
"nameCase": false,
"positiveMatch": true,
"value": "test4",
"wildcard": true
},
{
"type": "requestHeaderMatch",
"header": "referer",
"positiveMatch": true,
"value": "test5",
"valueCase": false,
"valueWildcard": false
},
{
"type": "requestMethodMatch",
"positiveMatch": true,
"methods": [
"GET"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"paths": [
"/test6"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List rules, select an
idvalue, and save it as aruleId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules/ {ruleId}/ condition-exception
The operation responds with an Exception object.
Modify the conditions and exceptions of a rule
Update a rule’s conditions and exceptions. When the conditions are met, the rule’s actions are ignored and not applied to that specific traffic. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: Exception
Download schema: securityPolicySetConditionExceptionRequest.json
Request body:
{
"exception": {
"headerCookieOrParamValues": [
"test"
],
"specificHeaderCookieOrParamNameValue": {
"name": "test",
"selector": "REQUEST_HEADERS",
"value": "test"
},
"specificHeaderCookieOrParamPrefix": {
"prefix": "test",
"selector": "REQUEST_HEADERS"
},
"specificHeaderCookieOrParamNames": [
{
"selector": "REQUEST_HEADERS",
"names": [
"test"
]
},
{
"selector": "REQUEST_COOKIES",
"names": [
"test"
]
},
{
"selector": "ARGS",
"names": [
"test"
]
},
{
"selector": "JSON_PAIRS",
"names": [
"test"
]
},
{
"selector": "XML_PAIRS",
"names": [
"test"
]
}
]
},
"conditions": [
{
"type": "extensionMatch",
"positiveMatch": true,
"extensions": [
"test"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"filenames": [
"test2"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"hosts": [
"www.test.com"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": true,
"ips": [
"192.0.2.34"
]
},
{
"type": "uriQueryMatch",
"caseSensitive": true,
"name": "test3",
"nameCase": false,
"positiveMatch": true,
"value": "test4",
"wildcard": true
},
{
"type": "requestHeaderMatch",
"header": "referer",
"positiveMatch": true,
"value": "test5",
"valueCase": false,
"valueWildcard": false
},
{
"type": "requestMethodMatch",
"positiveMatch": true,
"methods": [
"GET"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"paths": [
"/test6"
]
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
ruleId |
Integer | 699989 |
A unique identifier for rule. |
Status 200
application/json
Object type: Exception
Download schema: securityPolicySetConditionExceptionSuccess.json
Response body:
{
"exception": {
"headerCookieOrParamValues": [
"test"
],
"specificHeaderCookieOrParamNameValue": {
"name": "test",
"selector": "REQUEST_HEADERS",
"value": "test"
},
"specificHeaderCookieOrParamPrefix": {
"prefix": "test",
"selector": "REQUEST_HEADERS"
},
"specificHeaderCookieOrParamNames": [
{
"selector": "REQUEST_HEADERS",
"names": [
"test"
]
},
{
"selector": "REQUEST_COOKIES",
"names": [
"test"
]
},
{
"selector": "ARGS",
"names": [
"test"
]
},
{
"selector": "JSON_PAIRS",
"names": [
"test"
]
},
{
"selector": "XML_PAIRS",
"names": [
"test"
]
}
]
},
"conditions": [
{
"type": "extensionMatch",
"positiveMatch": true,
"extensions": [
"test"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"filenames": [
"test2"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"hosts": [
"www.test.com"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": true,
"ips": [
"192.0.2.34"
]
},
{
"type": "uriQueryMatch",
"caseSensitive": true,
"name": "test3",
"nameCase": false,
"positiveMatch": true,
"value": "test4",
"wildcard": true
},
{
"type": "requestHeaderMatch",
"header": "referer",
"positiveMatch": true,
"value": "test5",
"valueCase": false,
"valueWildcard": false
},
{
"type": "requestMethodMatch",
"positiveMatch": true,
"methods": [
"GET"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"paths": [
"/test6"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List rules, select an
idvalue, and save it as aruleIdparameter.Modify the Exception object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules/ {ruleId}/ condition-exception
The operation responds with an Exception object.
Get upgrade details
Only applies to Kona rule sets. The KRS rule sets are maintained by Akamai’s security research team. Run this operation before you upgrade to verify changes in the rule sets. If you want to test how the updates affect your site, you can run the updated rules in evaluation mode. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: Upgrade
Download schema: rulesGetUpgrade.json
Response body:
{
"current": "KRS 1.0 (Apr 20, 2020)",
"evaluating": "KRS 1.0 (Mar 15, 2020)",
"latest": "KRS 1.0 (June 15, 2020)",
"KRSToEvalUpdates": {
"updatedRules": [
{
"id": 3000080,
"title": "Cross-site Scripting (XSS) Attack"
},
{
"id": 3000081,
"title": "PHP Injection Attack (Opening Tag)"
}
],
"newRules": [
{
"id": 3000082,
"title": "Cross-site Scripting (XSS) Attack: Attribute Injection"
},
{
"id": 3000083,
"title": "IE XSS Filters - Attack Detected"
}
]
},
"EvalToEvalUpdates": {
"newRules": [
{
"id": 3000090,
"title": "Cross-site Scripting (XSS) Attack: Attribute Injection"
}
]
},
"KRSToLatestUpdates": {
"deletedRules": [
{
"id": 3000048,
"title": "MSSQL Code Execution and Information Gathering Attempts"
}
],
"newRules": [
{
"id": 3000090,
"title": "Remote File Inclusion Attack"
},
{
"id": 3000091,
"title": "IE XSS Filters"
}
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules/ upgrade-details
The operation responds with an Upgrade object.
Get adaptive intelligence setting
Beta. Returns whether adaptive intelligence is enabled. Adaptive intelligence allows our network to better tune rules for better accuracy. Contact your account team if you’d like to run this operation. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: ThreatIntel
Download schema: threatIntel.json
Response body:
{
"threatIntel": "on"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules/ threat-intel
The operation responds with a ThreatIntel object.
Update adaptive intelligence setting
Beta. Only applies to Adaptive Security Engine (ASE) manual rule sets. Enable or disable adaptive intelligence. Contact your account team if you’d like to run this operation. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: ThreatIntel
Download schema: threatIntel.json
Request body:
{
"threatIntel": "on"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: ThreatIntel
Download schema: threatIntel.json
Response body:
{
"threatIntel": "on"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Modify the ThreatIntel object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules/ threat-intel
The operation responds with a ThreatIntel object.
Set evaluation mode
Evaluation mode runs concurrently with your existing Web Application Firewall Rule settings and records how the rules would respond if they were applied to live traffic. The default action for evaluation rules is alert.
Unlike other POST or PUT actions, this request object supports values other than enabled or disabled. Use START to begin evaluation mode. An evaluation period lasts four weeks unless you stop the evaluation. Once you begin, the rules you evaluate will respond to traffic as if they are your current rules. However, instead of taking an action the evaluation rules will log which action they would have taken if they were your active rules and not a test of future rules. Use STOP to end the evaluation before it completes on its own, and not upgrade your rules. Use RESTART to start an evaluation you previously stopped, or one that has expired. Use COMPLETE to stop your in-progress evaluation and automatically upgrade your existing KRS rules to the rule set you just evaluated. Use UPDATE to upgrade to the newest available version of evaluation rules. A request value of START, RESTART, or COMPLETE returns an eval value of enabled. A request value of STOP or UPDATE returns an eval value of disabled.
Products: Kona Site Defender, App & API Protector with the Advanced Security module.
If you’re using Adaptive Security Engine, pass eval as usual, and add "mode": "ASE_AUTO" or ASE_MANUAL in your request. If you’re using Kona Rule Sets, continue to pass only the eval value.",
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: EvalMode
Download schema: evalMode.json
Request body:
{
"eval": "START"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
Status 201
application/json
Object type: EvalMode
Download schema: evalMode.json
Response body:
{
"mode": "KRS",
"current": "KRS 1.0 (Apr 20, 2020)",
"eval": "enabled",
"evaluating": "KRS 1.0 (June 25, 2020)",
"expires": "2020-08-08T00:00:00Z"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Build a new EvalRule object.
POST the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ eval
The operation responds with an EvalRule object.
List evaluation rules
Return the rules available for evaluation and their actions. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
Status 200
application/json
Object type: EvalRule
Download schema: securityPolicyGetEvalRuleActionsSuccess.json
Response body:
{
"evalRuleActions": [
{
"action": "alert",
"id": 699989
},
{
"action": "alert",
"id": 699990
},
{
"action": "alert",
"id": 699991
},
{
"action": "alert",
"id": 699992
},
{
"action": "alert",
"id": 699993
},
{
"action": "alert",
"id": 699994
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ eval-rules
The operation responds with an EvalRule object.
Get the action of an evaluation rule
Return the action for a specific rule you want to evaluate. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
ruleId |
Integer | 699989 |
A unique identifier for each rule. |
Status 200
application/json
Download schema: securityPolicyGetEvalRuleActionSuccess.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List evaluation rules, select an
idvalue, and save it as aruleId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ eval-rules/ {ruleId}
The operation responds with an EvalRule object.
Modify the action of an evaluation rule
Update the action for a specific rule you want to evaluate. Like your current rules, actions are alert to record the trigger of the event, deny to block the request, or none to take no action.
Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: EvalRule
Download schema: securityPolicySetEvalRuleActionRequest.json
Request body:
{
"action": "alert"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
ruleId |
Integer | 699989 |
A unique identifier for each rule. |
Status 200
application/json
Download schema: securityPolicySetEvalRuleActionSuccess.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List evaluation rules, select an
idvalue, and save it as aruleId.Modify the EvalRule object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ eval-rules/ {ruleId}
The operation responds with an EvalRule object.
Get the conditions and exceptions for an evaluation rule
List the conditions and exceptions for a rule you want to evaluate. This operation returns the same object type as other condition and exception operations. Keep in mind that the response for this operation applies to the rules you’re evaluating even though the concept of conditions and exceptions is the same for all condition exception endpoints. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
ruleId |
Integer | 699989 |
A unique identifier for each rule. |
Status 200
application/json
Download schema: securityPolicyGetEvalConditionExceptionSuccess.json
Response body:
{
"exception": {
"headerCookieOrParamValues": [
"test"
],
"specificHeaderCookieOrParamNameValue": {
"name": "test",
"selector": "REQUEST_HEADERS",
"value": "test"
},
"specificHeaderCookieOrParamPrefix": {
"prefix": "test",
"selector": "REQUEST_HEADERS"
},
"specificHeaderCookieOrParamNames": [
{
"selector": "REQUEST_HEADERS",
"names": [
"test"
]
},
{
"selector": "REQUEST_COOKIES",
"names": [
"test"
]
},
{
"selector": "ARGS",
"names": [
"test"
]
},
{
"selector": "JSON_PAIRS",
"names": [
"test"
]
},
{
"selector": "XML_PAIRS",
"names": [
"test"
]
}
]
},
"conditions": [
{
"type": "extensionMatch",
"positiveMatch": true,
"extensions": [
"test"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"filenames": [
"test2"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"hosts": [
"www.test.com"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": true,
"ips": [
"192.0.2.34"
]
},
{
"type": "uriQueryMatch",
"caseSensitive": true,
"name": "test3",
"nameCase": false,
"positiveMatch": true,
"value": "test4",
"wildcard": true
},
{
"type": "requestHeaderMatch",
"header": "referer",
"positiveMatch": true,
"value": "test5",
"valueCase": false,
"valueWildcard": false
},
{
"type": "requestMethodMatch",
"positiveMatch": true,
"methods": [
"GET"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"paths": [
"/test6"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List evaluation rules, select an
idvalue, and save it as aruleId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules/ {ruleId}/ condition-exception
The operation responds with an Exception object.
Modify the conditions and exceptions for an evaluation rule
Update an evaluation rule’s conditions and exceptions. When the conditions are met, the rule’s actions are ignored and not applied to that specific traffic. The rule action you update with this operation is for a rule you are evaluating and not a rule currently in use for your site or app. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Download schema: securityPolicySetEvalConditionExceptionRequest.json
Request body:
{
"exception": {
"headerCookieOrParamValues": [
"test"
],
"specificHeaderCookieOrParamNameValue": {
"name": "test",
"selector": "REQUEST_HEADERS",
"value": "test"
},
"specificHeaderCookieOrParamPrefix": {
"prefix": "test",
"selector": "REQUEST_HEADERS"
},
"specificHeaderCookieOrParamNames": [
{
"selector": "REQUEST_HEADERS",
"names": [
"test"
]
},
{
"selector": "REQUEST_COOKIES",
"names": [
"test"
]
},
{
"selector": "ARGS",
"names": [
"test"
]
},
{
"selector": "JSON_PAIRS",
"names": [
"test"
]
},
{
"selector": "XML_PAIRS",
"names": [
"test"
]
}
]
},
"conditions": [
{
"type": "extensionMatch",
"positiveMatch": true,
"extensions": [
"test"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"filenames": [
"test2"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"hosts": [
"www.test.com"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": true,
"ips": [
"192.0.2.34"
]
},
{
"type": "uriQueryMatch",
"caseSensitive": true,
"name": "test3",
"nameCase": false,
"positiveMatch": true,
"value": "test4",
"wildcard": true
},
{
"type": "requestHeaderMatch",
"header": "referer",
"positiveMatch": true,
"value": "test5",
"valueCase": false,
"valueWildcard": false
},
{
"type": "requestMethodMatch",
"positiveMatch": true,
"methods": [
"GET"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"paths": [
"/test6"
]
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
ruleId |
Integer | 699989 |
A unique identifier for each rule. |
Status 200
application/json
Download schema: securityPolicySetEvalConditionExceptionSuccess.json
Response body:
{
"exception": {
"headerCookieOrParamValues": [
"test"
],
"specificHeaderCookieOrParamNameValue": {
"name": "test",
"selector": "REQUEST_HEADERS",
"value": "test"
},
"specificHeaderCookieOrParamPrefix": {
"prefix": "test",
"selector": "REQUEST_HEADERS"
},
"specificHeaderCookieOrParamNames": [
{
"selector": "REQUEST_HEADERS",
"names": [
"test"
]
},
{
"selector": "REQUEST_COOKIES",
"names": [
"test"
]
},
{
"selector": "ARGS",
"names": [
"test"
]
},
{
"selector": "JSON_PAIRS",
"names": [
"test"
]
},
{
"selector": "XML_PAIRS",
"names": [
"test"
]
}
]
},
"conditions": [
{
"type": "extensionMatch",
"positiveMatch": true,
"extensions": [
"test"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"filenames": [
"test2"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"hosts": [
"www.test.com"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": true,
"ips": [
"192.0.2.34"
]
},
{
"type": "uriQueryMatch",
"caseSensitive": true,
"name": "test3",
"nameCase": false,
"positiveMatch": true,
"value": "test4",
"wildcard": true
},
{
"type": "requestHeaderMatch",
"header": "referer",
"positiveMatch": true,
"value": "test5",
"valueCase": false,
"valueWildcard": false
},
{
"type": "requestMethodMatch",
"positiveMatch": true,
"methods": [
"GET"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"paths": [
"/test6"
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List evaluation rules, select an
idvalue, and save it as aruleId.Modify the Exception object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ rules/ {ruleId}/ condition-exception
The operation responds with an Exception object.
Get tuning recommendations for a policy
Lists available tuning recommendations for a policy. Our system can identify patterns of false positives, and suggests exceptions for you to include in your policy. Products: Adaptive Security Engine.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Object type: Recommendation
Download schema: recommendations.json
Response body:
{
"evaluationPeriodStart": "2021-04-08T03:10:43Z",
"evaluationPeriodEnd": "2021-05-08T03:10:43Z",
"ruleRecommendations": [
{
"id": 100001,
"recommendations": [
{
"description": "Description for SQL",
"evidences": {
"hostnames": [
"www.yamanohi.jp"
]
},
"exceptions": [
{
"selectorId": 84220,
"selector": {
"type": "AAG_SPECIFIC",
"names": [
"JSON_PAIR_001"
],
"selector": "JSON_PAIRS",
"wildcard": true
}
}
]
}
],
"declinedRecommendations": [
{
"description": "100001 recommendation",
"exceptions": [
{
"selectorId": 19557,
"selector": {
"type": "AAG_SPECIFIC",
"names": [
"XML-PAIR-02-TEST"
],
"selector": "XML_PAIRS",
"wildcard": true
}
}
]
}
]
}
],
"attackGroupRecommendations": [
{
"group": "CMD",
"recommendations": [
{
"description": "This selector triggered on 3458 unique IPs over a period of 7 hours.",
"exceptions": [
{
"selectorId": 77,
"selector": {
"type": "AAG_SPECIFIC",
"selector": "REQUEST_HEADERS",
"names": [
"WWW-Exc_Header",
"WWW-Auth"
],
"wildcard": false,
"numberOfExceptions": 2,
"enhanced": false
}
}
]
}
]
},
{
"group": "SQL",
"recommendations": [
{
"description": "Recommendation for SQL",
"exceptions": [
{
"selectorId": 76,
"selector": {
"type": "AAG_SPECIFIC",
"selector": "ARGS_NAMES",
"names": null,
"wildcard": true,
"numberOfExceptions": 1,
"enhanced": false
}
}
]
}
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ recommendations
The operation responds with a Recommendation object.
Respond to tuning recommendations
Accept, decline, or reset the recommended exception. Accepting a tuning recommendation creates or updates the exception for the attack group. Use reset to restore a declined recommendation to a neutral state so you can accept it or decline it again later.
Products: Adaptive Security Engine.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: RecommendationAction
Download schema: selector.json
Request body:
{
"action": "ACCEPT",
"selectorId": 84220
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 201
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Build a new RecommendationAction object.
POST the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ recommendations
List tuning recommendations for a rule
Returns available tuning recommendations for a rule. Our system can identify patterns of false positives, and suggests exceptions for you to include in your rule. In cases where your rules are already optimum, the response payload returns empty. Products: Adaptive Security Engine.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
ruleId |
Integer | 1000001 |
A unique identifier for rule. |
Status 200
application/json
Response body:
{
"id": 100001,
"ruleRecommendations": [
{
"description": "Description for SQL",
"exceptions": [
{
"selectorId": 84220,
"selector": {
"type": "AAG_SPECIFIC",
"names": [
"JSON_PAIR_001"
],
"selector": "JSON_PAIRS",
"wildcard": true
}
}
]
}
],
"declinedRecommendations": [
{
"description": "100001 recommendation",
"exceptions": [
{
"selectorId": 19557,
"selector": {
"type": "AAG_SPECIFIC",
"names": [
"XML-PAIR-02-TEST"
],
"selector": "XML_PAIRS",
"wildcard": true
}
}
]
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List rules, select an
idvalue, and save it as aruleId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ recommendations/ rules/ {ruleId}
The operation responds with a Recommendation object.
List tuning recommedations for an attack group
Returns available tuning recommendations for an attack group. Our system can identify patterns of false positives, and suggests exceptions for you to include in your attack group. Products: Adaptive Security Engine.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 8225 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
attackGroupId |
String | SQL |
A unique identifier an attack group |
Status 200
application/json
Download schema: groupRecommendations.json
Response body:
{
"group": "CMD",
"recommendations": [
{
"description": "This selector triggered on 3458 unique IPs over a period of 7 hours.",
"exceptions": [
{
"selectorId": 77,
"selector": {
"type": "AAG_SPECIFIC",
"selector": "REQUEST_HEADERS",
"names": [
"WWW-Exc_Header",
"WWW-Auth"
],
"wildcard": false,
"numberOfExceptions": 2,
"enhanced": false
}
}
]
}
],
"declinedRecommendations": [
{
"description": "CMD recommendation",
"exceptions": [
{
"selectorId": 19557,
"selector": {
"type": "AAG_SPECIFIC",
"names": [
"XML-PAIR-02-TEST"
],
"selector": "XML_PAIRS",
"wildcard": true
}
}
]
}
]
}
Get the penalty box
Returns the penalty box settings for the security policy you specify. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 1 |
A unique identifier for each version of a configuration. |
policyId |
String | WC_3 |
A unique identifier for each security policy. |
Status 200
application/json
Object type: PenaltyBox
Download schema: penaltyBoxDto.json
Response body:
{
"action": "alert",
"penaltyBoxProtection": true
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ penalty-box
The operation responds with a PenaltyBox object.
Modify the penalty box
Update the penalty box settings for your security policy. If set to on, you can choose to deny requests coming from a client in the penalty box, or trigger an alert instead.
Products: All.
PUT /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 1 |
A unique identifier for each version of a configuration. |
policyId |
String | WC_3 |
A unique identifier for each security policy. |
Status 200
application/json
Object type: PenaltyBox
Download schema: penaltyBoxDto.json
Response body:
{
"action": "alert",
"penaltyBoxProtection": true
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run Get penalty box.
Modify the PenaltyBox object.
Make a PUT request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ penalty-box
The operation responds with a PenaltyBox object.
List custom rules
Lists custom rules defined in a security configuration.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
Status 200
application/json
Object type: CustomRule
Download schema: customRules-schema.json
Response body:
{
"customRules": [
{
"link": "/appsec/v1/configs/99999/customRules/111111",
"name": "Example 1",
"status": "activated",
"id": 111111,
"version": 1
},
{
"link": "/appsec/v1/configs/99999/customRules/111112",
"name": "Example 2",
"status": "published",
"id": 111112,
"version": 1
},
{
"link": "/appsec/v1/configs/99999/customRules/111113",
"name": "Example 3",
"status": "unused",
"id": 111113,
"version": 2
}
]
}
Run List configurations and select a
configId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ custom-rules
The response is a CustomRule object.
Create a custom rule
Creates a new custom rule. Products: All.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: CustomRule
Download schema: customRule-schema.json
Request body:
{
"name": "Fat Rule",
"description": "Can I create all conditions?",
"tag": [
"test"
],
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Li",
"He",
"H"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"valueWildcard": false,
"valueCase": false,
"value": [
"He",
"H",
"Li"
]
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": "HTTP/0.9"
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
]
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"H",
"He",
"Li"
]
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"O",
"N",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Carbon",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"valueWildcard": false,
"valueCase": false,
"value": [
"Nitrogen",
"N"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
},
{
"type": "clientCertPresentMatch",
"positiveMatch": true
},
{
"type": "clientCertValidMatch",
"positiveMatch": false
},
{
"type": "clientTlsFingerprintMatch",
"positiveMatch": true,
"value": [
"aebbfa8e53e8661f"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"value": [
"example.com",
"*.Nitrogen.gb"
]
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
Status 200
application/json
Object type: CustomRule
Download schema: customRule-schema.json
Response body:
{
"id": 661699,
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1,
"ruleActivated": false,
"tag": [
"test"
],
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Li",
"He",
"H"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"valueWildcard": false,
"valueCase": false,
"value": [
"He",
"H",
"Li"
]
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": "HTTP/0.9"
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
]
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"H",
"He",
"Li"
]
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"O",
"N",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Carbon",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"valueWildcard": false,
"valueCase": false,
"value": [
"Nitrogen",
"N"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
},
{
"type": "clientCertPresentMatch",
"positiveMatch": true
},
{
"type": "clientCertValidMatch",
"positiveMatch": true
},
{
"type": "clientTlsFingerprintMatch",
"positiveMatch": true,
"value": [
"aebbfa8e53e8661f"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"value": [
"example.com",
"*.Nitrogen.gb"
]
}
]
}
Run List configurations and select a
configId.Create a CustomRule object.
Make a POST request to
/appsec/.v1/ configs/ {configId}/ custom-rules
The response reflects the complete CustomRule object.
Get a custom rule
Returns the details of a custom rule. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
ruleId |
Integer | 661699 |
A unique identifier for each custom rule. |
Status 200
application/json
Object type: CustomRule
Download schema: customRule-schema.json
Response body:
{
"id": 661699,
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1,
"ruleActivated": false,
"tag": [
"test"
],
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Li",
"He",
"H"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"valueWildcard": false,
"valueCase": false,
"value": [
"He",
"H",
"Li"
]
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": "HTTP/0.9"
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
]
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"H",
"He",
"Li"
]
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"O",
"N",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Carbon",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"valueWildcard": false,
"valueCase": false,
"value": [
"Nitrogen",
"N"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
},
{
"type": "clientCertPresentMatch",
"positiveMatch": true
},
{
"type": "clientCertValidMatch",
"positiveMatch": true
},
{
"type": "clientTlsFingerprintMatch",
"positiveMatch": true,
"value": [
"aebbfa8e53e8661f"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"value": [
"example.com",
"*.Nitrogen.gb"
]
}
]
}
Run List configurations and select a
configId.Run List custom rules and select a
ruleId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ custom-rules/ {ruleId}
The response is a CustomRule object.
Modify a custom rule
Updates an existing custom rule. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: CustomRule
Download schema: customRule-schema.json
Request body:
{
"id": 661699,
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1,
"tag": [
"test"
],
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Li",
"He",
"H"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"valueWildcard": false,
"valueCase": false,
"value": [
"He",
"H",
"Li"
]
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": "HTTP/0.9"
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
]
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"H",
"He",
"Li"
]
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"O",
"N",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Carbon",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"valueWildcard": false,
"valueCase": false,
"value": [
"Nitrogen",
"N"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
},
{
"type": "clientCertPresentMatch",
"positiveMatch": true
},
{
"type": "clientCertValidMatch",
"positiveMatch": false
},
{
"type": "clientTlsFingerprintMatch",
"positiveMatch": true,
"value": [
"aebbfa8e53e8661f"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"value": [
"example.com",
"*.Nitrogen.gb"
]
}
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
ruleId |
Integer | 661699 |
A unique identifier for each custom rule. |
Status 200
application/json
Object type: CustomRule
Download schema: customRule-schema.json
Response body:
{
"id": 661699,
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1,
"ruleActivated": false,
"tag": [
"test"
],
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Li",
"He",
"H"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"valueWildcard": false,
"valueCase": false,
"value": [
"He",
"H",
"Li"
]
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": "HTTP/0.9"
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
]
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"H",
"He",
"Li"
]
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"O",
"N",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Carbon",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"valueWildcard": false,
"valueCase": false,
"value": [
"Nitrogen",
"N"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
},
{
"type": "clientCertPresentMatch",
"positiveMatch": true
},
{
"type": "clientCertValidMatch",
"positiveMatch": true
},
{
"type": "clientTlsFingerprintMatch",
"positiveMatch": true,
"value": [
"aebbfa8e53e8661f"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"value": [
"example.com",
"*.Nitrogen.gb"
]
}
]
}
Run List configurations and select a
configId.Run List custom rules and select a
ruleId.Run Get a custom rule.
Modify the CustomRule object.
Make a PUT request to
/appsec/.v1/ configs/ {configId}/ custom-rules/ {ruleId}
The response reflects the modified CustomRule object.
Remove a custom rule
Deletes a custom rule as long as it isn’t activated. Products: All.
DELETE /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
ruleId |
Integer | 661699 |
A unique identifier for each custom rule. |
Status 204
Run List configurations and select a
configId.Run List custom rules and select a
ruleId.Make a DELETE request to
/appsec/.v1/ configs/ {configId}/ custom-rules/ {ruleId}
List custom rule actions
Returns a list of all configured custom rules for the
specified configuration. It includes information for
rules that are associated with this policy, as well as
the latest versions of the rules in the configuration
that aren’t associated with the current policy.
Unassociated rules have an action of none.
Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | WC_3 |
A unique identifier for the security policy. |
Status 200
application/json
Object type: CustomRuleActions
Download schema: customRuleActions.json
Response body:
{
"customRules": [
{
"action": "alert",
"link": "/appsec/v1/configs/16400/custom-rules/622918",
"name": "Custom Rule Example 1",
"id": 622918
},
{
"action": "none",
"link": "/appsec/v1/configs/16400/custom-rules/657604",
"name": "Custom Rule Example 2",
"id": 657604
},
{
"action": "deny",
"link": "/appsec/v1/configs/16400/custom-rules/615894",
"name": "Custom Rule Example 3",
"id": 615894
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Run List security policies and select a
policyId.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ 1/ security-policies/ {policyId}/ custom-rules
The response is a CustomRuleActions object.
Modify a custom rule action
Updates the action of a custom rule. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: CustomRuleActions
Download schema: updateCustomRuleAction.json
Request body:
{
"action": "alert"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | WC_3 |
A unique identifier for the security policy. |
ruleId |
Integer | 661699 |
A unique identifier for each custom rule. |
Status 200
application/json
Object type: CustomRuleActions
Download schema: updateCustomRuleAction.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List custom rule actions and select a
ruleId.Make a PUT request with a single-member object containing the specified
actionto/appsec/.v1/ configs/ {configId}/ versions/ 1/ security-policies/ {policyId}/ custom-rules/ {ruleId}
The response reflects the modified single-member object.
List API request constraints and actions
Return a list of APIs with their constraints and associated actions. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Download schema: apiRequestConstraintsActionSuccess.json
Response body:
{
"apiEndpoints": [
{
"id": 1941,
"action": "alert"
},
{
"id": 1942,
"action": "alert"
},
{
"id": 1943,
"action": "alert"
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ api-request-constraints
The operation responds with an API constraints object.
Modify the request constraint action for all API
Update what action to take when any API request constraint triggers. Use alert to record the trigger of the event, deny to block the request, or customDenyId to apply a custom deny response.
Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: ApiConstraints
Download schema: apiRequestConstraintsActionPutRequest.json
Request body:
{
"action": "alert"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Download schema: apiRequestConstraintsActionSuccess.json
Response body:
{
"apiEndpoints": [
{
"id": 1941,
"action": "alert"
},
{
"id": 1942,
"action": "alert"
},
{
"id": 1943,
"action": "alert"
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Modify the API constraints object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ api-request-constraints
The operation responds with an API constraints object.
Modify an API request constraint’s action
Update what action to take when the API request constraint triggers. This operation modifies an individual API constraint action. To use this operation, run List all API request constraints and actions and pick an API from the ApiConstraints list. Use alert to record the trigger of the event, deny to block the request, or none to take no action. Currently the only member in the API Request Constraints object is action.
Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: ApiConstraints
Download schema: apiRequestConstraintsActionPutRequest.json
Request body:
{
"action": "alert"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
apiId |
Integer | 12345 |
A unique identifier for each API. |
Status 200
application/json
Download schema: apiRequestConstraintsActionPutSuccess.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List API request constraints and actions, select an
idvalue, and store it as anapiId.Modify the API constraints object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ api-request-constraints/ {apiId}
The operation responds with a API constraints object.
List API endpoints
List the API endpoints associated with a security policy. This operation only lists the endpoints. To manage them, use Register an endpoint from the API Endpoint Definition API. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a security policy. |
Status 200
application/json
Download schema: apiEndpointsGetSuccess.json
Response body:
{
"apiEndpoints": [
{
"id": 619183,
"name": "Orders",
"basePath": "/v1/orders",
"requestConstraintsEnabled": false,
"apiEndPointHosts": [
"sg.akamai.com"
],
"stagingVersion": {
"status": "ACTIVE",
"versionNumber": 1
},
"productionVersion": {
"status": "ACTIVE",
"versionNumber": 1
}
},
{
"id": 624913,
"name": "Catalog",
"basePath": "/v1/catalog",
"requestConstraintsEnabled": true,
"apiEndPointHosts": [
"sg.akamai.com"
],
"stagingVersion": {
"status": "ACTIVE",
"versionNumber": 1
},
"productionVersion": {
"status": "ACTIVE",
"versionNumber": 1
}
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ api-endpoints
The operation responds with an Api Endpoints object.
List reputation profiles
Returns reputation profiles for a specific security configuration version. To use reputation profiles, you need to add Client Reputation to Kona Site Defender on your contract. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Download schema: reputationProfilesList.json
Response body:
{
"reputationProfiles": [
{
"id": 146254,
"name": "Scanning Tools (High Threat)",
"context": "SCANTL",
"contextReadable": "Scanning Tools",
"threshold": 9,
"sharedIpHandling": "NON_SHARED",
"enabled": false
},
{
"id": 146258,
"name": "Web Attackers (Low Threat)",
"context": "WEBATCK",
"contextReadable": "Web Attackers",
"threshold": 5,
"sharedIpHandling": "SHARED_ONLY",
"enabled": false
},
{
"id": 146259,
"name": "Custom Reputation Profile",
"context": "WEBATCK",
"contextReadable": "Web Attackers",
"threshold": 3,
"sharedIpHandling": "SHARED_ONLY",
"description": "this is a customized reputation profile",
"enabled": true,
"condition": {
"id": "2156",
"name": "Rep condition",
"description": "Rep condition description",
"positiveMatch": true,
"atomicConditions": [
{
"positiveMatch": true,
"nameWildcard": true,
"name": "cookie",
"valueWildcard": true,
"className": "RequestCookieCondition",
"value": [
"cookie"
]
}
]
}
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ reputation-profiles
The operation responds with a Reputation Profile object.
Create a reputation profile
Create a new reputation profile for a specific configuration version. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: ReputationProfile
Download schema: reputationProfile.json
Request body:
{
"name": "Web Attack Rep Profile",
"description": "Reputation profile description",
"context": "WEBATCK",
"threshold": 5,
"sharedIpHandling": "NON_SHARED",
"condition": {
"positiveMatch": true,
"atomicConditions": [
{
"positiveMatch": true,
"className": "AsNumberCondition",
"value": [
"1"
]
},
{
"positiveMatch": true,
"nameWildcard": true,
"valueWildcard": true,
"className": "RequestCookieCondition",
"nameCase": true,
"name": "x-header"
},
{
"positiveMatch": true,
"valueWildcard": true,
"className": "HostCondition",
"host": [
"*.com"
]
}
]
}
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 201
application/json
Object type: ReputationProfile
Download schema: reputationProfile.json
Response body:
{
"id": 2509987,
"name": "Web Attack Rep Profile",
"context": "WEBATCK",
"description": "Reputation profile description",
"threshold": 5,
"sharedIpHandling": "NON_SHARED",
"enabled": false,
"condition": {
"positiveMatch": true,
"atomicConditions": [
{
"checkIps": "connecting",
"className": "AsNumberCondition",
"index": 1,
"positiveMatch": true,
"value": [
"1"
]
},
{
"className": "RequestCookieCondition",
"index": 2,
"name": "x-header",
"nameCase": true,
"nameWildcard": true,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": true
},
{
"className": "HostCondition",
"index": 3,
"positiveMatch": true,
"valueWildcard": true,
"host": [
"*.com"
]
}
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Build a new Reputation Profile object.
POST the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ reputation-profiles
The operation responds with a Reputation Profile object.
Get a reputation profile
Returns the details for a specific reputation profile. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
reputationProfileId |
Integer | 112231 |
A unique identifier for each reputation profile. |
Status 200
application/json
Object type: ReputationProfile
Download schema: reputationProfile.json
Response body:
{
"id": 2509987,
"name": "Web Attack Rep Profile",
"context": "WEBATCK",
"description": "Reputation profile description",
"threshold": 5,
"sharedIpHandling": "NON_SHARED",
"enabled": false,
"condition": {
"positiveMatch": true,
"atomicConditions": [
{
"checkIps": "connecting",
"className": "AsNumberCondition",
"index": 1,
"positiveMatch": true,
"value": [
"1"
]
},
{
"className": "RequestCookieCondition",
"index": 2,
"name": "x-header",
"nameCase": true,
"nameWildcard": true,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": true
},
{
"className": "HostCondition",
"index": 3,
"positiveMatch": true,
"valueWildcard": true,
"host": [
"*.com"
]
}
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List reputation profiles, select an
idvalue, and store it as areputationProfileIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ reputation-profiles/ {reputationProfileId}
The operation responds with a Reputation Profile object.
Modify a reputation profile
Update details for a specific reputation profile. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: ReputationProfile
Download schema: reputationProfile.json
Request body:
{
"id": 2509987,
"name": "Web Attack Rep Profile",
"context": "WEBATCK",
"description": "Reputation profile description",
"threshold": 5,
"sharedIpHandling": "NON_SHARED",
"enabled": false,
"condition": {
"positiveMatch": true,
"atomicConditions": [
{
"checkIps": "connecting",
"className": "AsNumberCondition",
"index": 1,
"positiveMatch": true,
"value": [
"1"
]
},
{
"className": "RequestCookieCondition",
"index": 2,
"name": "x-header",
"nameCase": true,
"nameWildcard": true,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": true
},
{
"className": "HostCondition",
"index": 3,
"positiveMatch": true,
"valueWildcard": true,
"host": [
"example.com"
]
}
]
}
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
reputationProfileId |
Integer | 112231 |
A unique identifier for each reputation profile. |
Status 200
application/json
Object type: ReputationProfile
Download schema: reputationProfile.json
Response body:
{
"id": 2509987,
"name": "Web Attack Rep Profile",
"context": "WEBATCK",
"description": "Reputation profile description",
"threshold": 5,
"sharedIpHandling": "NON_SHARED",
"enabled": false,
"condition": {
"positiveMatch": true,
"atomicConditions": [
{
"checkIps": "connecting",
"className": "AsNumberCondition",
"index": 1,
"positiveMatch": true,
"value": [
"1"
]
},
{
"className": "RequestCookieCondition",
"index": 2,
"name": "x-header",
"nameCase": true,
"nameWildcard": true,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": true
},
{
"className": "HostCondition",
"index": 3,
"positiveMatch": true,
"valueWildcard": true,
"host": [
"*.com"
]
}
]
}
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List reputation profiles, select an
idvalue, and store it as areputationProfileIdparameter.Modify the Reputation Profile object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ reputation-profiles/ {reputationProfileId}
The operation responds with a ReputationProfile object.
Remove a reputation profile
Delete a reputation profile. You can’t delete a reputation profile that is actively in use. To delete the reputation profile, first activate an older configuration version or create a new version without that policy in place. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
DELETE /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
reputationProfileId |
Integer | 112231 |
A unique identifier for each reputation profile. |
Status 204
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List reputation profiles, select an
idvalue, and store it as areputationProfileIdparameter.Make a DELETE request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ reputation-profiles/ {reputationProfileId}
Get the reputation analysis settings
Return the current reputation analysis settings. Products: Kona Site Defender.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
Status 200
application/json
Download schema: reputationAnalysisSettingsGetSuccess.json
Response body:
{
"forwardToHTTPHeader": true,
"forwardSharedIPToHTTPHeaderAndSIEM": true
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ reputation-analysis
The operation responds with a ReputationAnalysis object.
Update the reputation analysis settings
Toggle the options forwardToHTTPHeader and forwardSharedIPToHTTPHeaderAndSIEM on and off. forwardToHTTPHeader is the option to add client reputation details to requests forwarded to origin in an HTTP header. forwardSharedIPToHTTPHeaderAndSIEM is the option to add value indicating that shared IPs are included in HTTP header and SIEM integration when used.
Products: Kona Site Defender.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: ReputationAnalysis
Download schema: reputationAnalysisSettingsPutRequest.json
Request body:
{
"forwardToHTTPHeader": true,
"forwardSharedIPToHTTPHeaderAndSIEM": true
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
Status 200
application/json
Download schema: reputationAnalysisSettingsPutSuccess.json
Response body:
{
"forwardToHTTPHeader": true,
"forwardSharedIPToHTTPHeaderAndSIEM": true
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Modify the ReputationAnalysis object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ reputation-analysis
The operation responds with a ReputationAnalysis object.
List reputation profile actions
Return a list of reputation profiles with their associated actions. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
Status 200
application/json
Object type: ReputationProfileAction
Download schema: reputationProfileGetActionsSuccess.json
Response body:
{
"reputationProfiles": [
{
"id": 102718,
"action": "alert"
},
{
"id": 102719,
"action": "deny"
}
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ reputation-profiles
The operation responds with a ReputationProfileAction object.
Get the action for a reputation profile
Return the action a reputation profile takes when triggered. Products: Kona Site Defender, App & API Protector with the Advanced Security module.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
reputationProfileId |
Integer | 12345 |
A unique identifier for each reputation profile. |
Status 200
application/json
Download schema: reputationProfileGetActionSuccess.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List reputation profile actions, select an
idvalue, and store is as areputationProfileIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ reputation-profiles/ {reputationProfileId}
The operation responds with a ReputationProfileAction object.
Modify the action for a reputation profile
Update what action to take when reputation profile’s rule triggers. Use alert to record the trigger of the event, deny to block the request, or none to take no action. Currently the only member in the reputation profile object is action.
Products: Kona Site Defender, App & API Protector with the Advanced Security module.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Download schema: reputationProfileSetActionRequest.json
Request body:
{
"action": "alert"
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy. |
reputationProfileId |
Integer | 12345 |
A unique identifier for each reputation profile. |
Status 200
application/json
Object type: ReputationProfileAction
Download schema: reputationProfileSetActionSuccess.json
Response body:
{
"action": "alert"
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run List reputation profile actions, select an
idvalue, and store is as areputationProfileIdparameter.Modify the ReputationProfileAction object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ reputation-profiles/ {reputationProfileId}
The operation responds with a ReputationProfileAction object.
Get protections
Get the protections and whether they are enabled or disabled in a security policy. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy |
Status 200
application/json
Object type: Protections
Download schema: securityPolicyGetProtectionsSuccess.json
Response body:
{
"applyApiConstraints": true,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applySlowPostControls": true,
"applyReputationControls": true
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ protections
The operation responds with a Protections object.
Modify protections
Update the security policy protections. This applies a set of protections that you can enable individually. Products: All. application/json: schema: securityPolicySetProtectionsRequest example: !include examples/securityPolicySetProtectionsRequest.json
PUT /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
policyId |
String | boBF_19288 |
A unique identifier for a policy |
Status 200
application/json
Download schema: securityPolicySetProtectionsSuccess.json
Response body:
{
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applySlowPostControls": true,
"applyReputationControls": true
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run List security policies, select an
idvalue, and save it as apolicyIdparameter.Run Get protections.
Modify the Protections object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ security-policies/ {policyId}/ protections
The operation responds with a Protections object.
Get SIEM settings
Return SIEM settings for a specific configuration. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 1 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: SIEM
Download schema: siemSettings.json
Response body:
{
"enableForAllPolicies": false,
"enableSiem": true,
"enabledBotmanSiemEvents": false,
"siemDefinitionId": 1,
"firewallPolicyIds": [
"qik2_38799",
"4444_44572",
"teet_39295",
"ds22_48583"
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ siem
The operation responds with a SIEM object.
Modify SIEM settings
Update SIEM settings for a specific configuration. Products: All.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: SIEM
Download schema: siemSettings.json
Request body:
{
"enableForAllPolicies": false,
"enableSiem": true,
"enabledBotmanSiemEvents": false,
"siemDefinitionId": 1,
"firewallPolicyIds": [
"qik2_38799",
"4444_44572",
"teet_39295",
"ds22_48583"
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 1 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: SIEM
Download schema: siemSettings.json
Response body:
{
"enableForAllPolicies": false,
"enableSiem": true,
"enabledBotmanSiemEvents": false,
"siemDefinitionId": 1,
"firewallPolicyIds": [
"qik2_38799",
"4444_44572",
"teet_39295",
"ds22_48583"
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Run List configuration versions and select a
versionNumber.Run Get SIEM settings.
Modify the SIEM object.
PUT the object to
/appsec/.v1/ configs/ {configId}/ versions/ {versionNumber}/ siem
The operation responds with a SIEM object.
Get SIEM versions
Get available SIEM versions. Products: All.
GET /appsec/
Status 200
application/json
Download schema: siemVersionsList.json
Response body:
{
"siemDefinitions": [
{
"id": 1,
"name": "SIEM Version 01"
}
]
}
List subscribers
List all subscribers to a feature for a security configuration. The response array is empty if no subscribers exist. Currently, the only feature is AAG_TUNING_REC for AAG rule sets.
Products: Kona Site Defender.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
feature |
String | AAG_TUNING_REC |
A unique identifier for each subscription feature. |
Status 200
application/json
Download schema: appsecConfigSubscriptionResponse.json
Response body:
{
"emails": [
"subscriber1@email.example.com",
"subscriber2@email.example.com",
"subscriber3@email.example.com"
]
}
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Use
AAG_TUNING_RECfor thefeatureparameter.Make a GET request to
/appsec/.v1/ configs/ {configId}/ notification/ subscription/ {feature}
The operation responds with a Subscription object.
Subscribe or unsubscribe to recommendation emails
Set the request object’s action to subscribe to add user emails to the subscription object. Use unsubscribe to remove them from the list.
The lists are organized by features. Currently, the only feature is AAG_TUNING_REC for AAG rule sets.
Products: Kona Site Defender.
POST /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: Subscription
Download schema: appsecConfigSubscriptionRequest.json
Request body:
{
"action": "subscribe",
"emails": [
"subscriber1@email.example.com",
"subscriber2@email.example.com",
"subscriber3@email.example.com"
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
feature |
String | AAG_TUNING_REC |
A unique identifier for each subscription feature. |
Status 204
Run List configurations, select an
idvalue, and store it as aconfigIdparameter.Use
AAG_TUNING_RECfor thefeatureparameter.Build a new Subscription object.
POST the object to
/appsec/.v1/ configs/ {configId}/ notification/ subscription/ {feature}
List selected hostnames for a security policy
List the hostnames that the configuration version selects as candidates of protected hostnames, which you can use in match targets. Products: Web Application Protector, App & API Protector.
GET /appsec/
Status 200
application/json
Object type: SelectedHostnames
Download schema: hostnameList.json
Response body:
{
"mode": "append",
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
Modify selected hostnames for a security policy
Update the list of selected hostnames for a configuration. You can add an individual hostname to your selected hostnames list without passing the entire list plus the new hostname in this PUT object. Previously, you needed to pass every hostname in the PUT object or any hostnames not included would be deleted from the list. Products: Web Application Protector, App & API Protector.
PUT /appsec/
Content-Type: application/json
Object type: SelectedHostnames
Download schema: hostnameList.json
Request body:
{
"mode": "append",
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
Status 200
application/json
Object type: SelectedHostnames
Download schema: hostnameList.json
Response body:
{
"mode": "append",
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
List evaluation hostnames for a security policy
List the evaluation hostnames for a configuration version. Evaluation mode for hostnames is only available for Web Application Protector. Run hostnames in evaluation mode to see how your configuration settings protect traffic for that hostname before adding a hostname directly to a live configuration. An evaluation period lasts four weeks unless you stop the evaluation. Once you begin, the hostnames you evaluate start responding to traffic as if they are your current hostnames. However, instead of taking an action the evaluation hostnames log which action they would have taken if they were your actively-protected hostnames and not a test. Products: Web Application Protector, App & API Protector.
GET /appsec/
Status 200
application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Response body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Modify evaluation hostnames for a security policy
Update the list of hostnames you want to evaluate for a configuration version. Products: Web Application Protector, App & API Protector.
PUT /appsec/
Content-Type: application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Request body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Status 200
application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Response body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Protect evaluation hostnames for a security policy
Move hostnames you’re evaluating to active protection. When you move a hostname from the evaluation hostnames list, it’s added to your security policy as a protected hostname. You’ll see that hostname in the SelectedHostnames object the next time you run List selected hostnames. Products: Web Application Protector, App & API Protector.
PUT /appsec/
Content-Type: application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Request body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Status 200
application/json
Object type: EvalHostname
Download schema: evalHostnames.json
Response body:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
Get the bypass network lists settings for a security policy
Lists which network lists are used in the bypass network lists settings. If you want to add or remove IP addresses from the network lists, use the Network Lists API. Products: Web Application Protector, App & API Protector.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Download schema: bypassNetworklists.json
Response body:
{
"networkLists": [
{
"name": "Test network list 1",
"id": "888518_ACDDCKERS"
},
{
"name": "Test network list 2",
"id": "1304427_AAXXBBLIST"
}
]
}
Modify the bypass network lists settings for a security policy
Update which network lists to use in the bypass network lists settings. If you want to add or remove IP addresses from the network lists, use the Network Lists API. Products: Web Application Protector, App & API Protector.
PUT /appsec/
Sample: /appsec/
Content-Type: application/json
Object type: BypassNetworkList
Download schema: bypassNetworklists-put.json
Request body:
{
"networkLists": [
"1304427_AAXXBBLIST",
"888518_ACDDCKERS"
]
}
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 77653 |
A unique identifier for each configuration. |
versionNumber |
Integer | 25 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: BypassNetworkList
Download schema: bypassNetworklists-put.json
Response body:
{
"block": "blockSpecificIPGeo",
"geoControls": {
"blockedIPNetworkLists": {
"networkList": [
"72138_TEST1"
]
}
},
"ipControls": {
"allowedIPNetworkLists": {
"networkList": [
"56921_TEST"
]
},
"blockedIPNetworkLists": {
"networkList": [
"53712_TESTLIST123"
]
}
}
}
Activate a configuration version
Activates one or more configurations globally. Note that you need to explicitly list any invalid hosts in the acknowledgedInvalidHostsByConfig parameter in order to successfully activate a configuration that includes invalid hostnames. If you have an invalid hostname that isn’t explicitly called out you’ll receive an error telling you to add them to acknowledgedInvalidHostsByConfig. See Activate with invalid hostnames for instructions.
Products: All.
POST /appsec/
Content-Type: application/json
Object type: Activation
Download schema: activations-request.json
Request body:
{
"action": "ACTIVATE",
"network": "STAGING",
"note": "Free text notes",
"notificationEmails": [
"a@example.com",
"b@example.com"
],
"activationConfigs": [
{
"configId": 1,
"configVersion": 4
}
]
}
Status 200
application/json
Object type: Activation
Download schema: activation-status.json
Response body:
{
"dispatchCount": 1,
"activationId": 1234,
"action": "ACTIVATE",
"status": "RECEIVED",
"network": "PRODUCTION",
"estimate": "PTM5",
"createdBy": "user1",
"createDate": "2013-10-07T17:41:52+00:00",
"activationConfigs": [
{
"configId": 1,
"configName": "config 1",
"configVersion": 4,
"previousConfigVersion": 2
}
]
}
Status 202
application/json
Headers:
Location: /appsec/v1/activations/status/f81c92c5-b150-4c41-9b53-9cef7969150a
Download schema: activation-request-status-created.json
Response body:
{
"statusId": "f81c92c5-b150-4c41-9b53-9cef7969150a",
"createDate": "2018-06-19T11:27:55Z",
"links": {
"check-status": {
"href": "/appsec/v1/activations/status/f81c92c5-b150-4c41-9b53-9cef7969150a"
}
}
}
Create an Activation object.
Make a POST request to
/appsec/.v1/ activations
The response reflects the complete Activation object.
Get an activation request status
Returns the status of a long-running activation request. Any errors that occur when generating the activation cause this API to respond with the underlying error status. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
statusId |
String | f81c92c5-b150-4c41-9b53-9cef7969150a |
UUID of this activation request status. |
Status 200
application/json
Headers:
Retry-After: 300
Download schema: activation-request-status-in-progress.json
Response body:
{
"statusId": "f81c92c5-b150-4c41-9b53-9cef7969150a",
"createDate": "2018-06-19T11:27:55Z"
}
Status 303
application/json
Headers:
Location: /appsec/v1/activations/1234
Download schema: activation-request-status-complete.json
Response body:
{
"activationId": 1234
}
Activate a configuration version, if you haven’t already done so, and note the
statusIdin the response.Make a GET request to
/appsec/.v1/ activations/ status/ {statusId} The response produces an object with an HTTP status code and relevant activation request data in the header.
The optional
Retry-Afterresponse header indicates the number of seconds to wait before submitting another status request.The optional
Locationresponse header indicates the URL of the specified activation.
Get activation status
Returns the status of an activation. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
activationId |
Number | 1234 |
A unique identifier for an activation. |
Status 200
application/json
Object type: Activation
Download schema: activation-status.json
Response body:
{
"dispatchCount": 1,
"activationId": 1234,
"action": "ACTIVATE",
"status": "RECEIVED",
"network": "PRODUCTION",
"estimate": "PTM5",
"createdBy": "user1",
"createDate": "2013-10-07T17:41:52+00:00",
"activationConfigs": [
{
"configId": 1,
"configName": "config 1",
"configVersion": 4,
"previousConfigVersion": 2
}
]
}
Run Activate a configuration version and note the
activationIdin the response object.Make a GET request to
/appsec/.v1/ activations/ {activationId}
The response is an Activation object.
Export a configuration version
Returns comprehensive details about a security configuration version. This operation returns more data than Get configuration version details, including rate and security policies, rules, hostnames, and numerous additional settings. Products: All.
GET /appsec/
Sample: /appsec/
| Parameter | Type | Sample | Description |
|---|---|---|---|
| URL path parameters | |||
configId |
Integer | 48579 |
A unique identifier for each configuration. |
versionNumber |
Integer | 2 |
A unique identifier for each version of a configuration. |
Status 200
application/json
Object type: Export
Download schema: export.json
Response body:
{
"configId": 48579,
"configName": "New Security Config",
"version": 2,
"basedOn": 1,
"createDate": "2017-09-08T22:24:41Z",
"createdBy": "disharma",
"selectableHosts": [
"www.example1.com",
"www.example2.com"
],
"selectedHosts": [
"www.example3.com",
"www.example4.com"
],
"staging": {
"status": "Inactive"
},
"production": {
"status": "Inactive"
},
"matchTargets": {
"websiteTargets": [
{
"type": "website",
"defaultFile": "NO_MATCH",
"id": 1362593,
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"sequence": 1,
"fileExtensions": [
"jpg"
],
"filePaths": [
"/path"
],
"effectiveSecurityControls": {
"applyApplicationLayerControls": true,
"applyApiConstraints": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "qik3_38800"
},
"bypassNetworkLists": [
{
"id": "11212_BYPASSURR",
"name": "bypass-URR"
}
]
},
{
"type": "website",
"defaultFile": "NO_MATCH",
"id": 1362594,
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"sequence": 2,
"filePaths": [
"/images",
"/image1",
"/path"
],
"hostnames": [
"b2c.div1.akamaniac.com"
],
"effectiveSecurityControls": {
"applyApplicationLayerControls": true,
"applyApiConstraints": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "qik2_38799"
}
}
],
"apiTargets": [
{
"type": "api",
"id": 1362597,
"sequence": 6,
"effectiveSecurityControls": {
"applyApplicationLayerControls": false,
"applyApiConstraints": false,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "99e_47293"
},
"apis": [
{
"id": 1041,
"name": "hmm test"
}
],
"bypassNetworkLists": [
{
"id": "1024_AMAZONELASTICCOMPUTECLOU",
"name": "Ec2 Akamai Network List"
},
{
"id": "1283_MICROSOFTWINDOWSAZUREDAT",
"name": "Azure IP range cloud services"
}
]
},
{
"type": "api",
"id": 1362598,
"sequence": 7,
"effectiveSecurityControls": {
"applyApplicationLayerControls": false,
"applyApiConstraints": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": true,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "4444_44572"
},
"apis": [
{
"id": 1001,
"name": "1001"
},
{
"id": 1041,
"name": "hmm test"
}
],
"bypassNetworkLists": [
{
"id": "11212_BYPASSURR",
"name": "bypass-URR"
}
]
}
]
},
"siem": {
"configId": 77653,
"configVersion": 22,
"enableForAllPolicies": false,
"enableSiem": true,
"enabledBotmanSiemEvents": false,
"siemDefinitionId": 1,
"firewallPolicyIds": [
"qik2_38799",
"4444_44572",
"teet_39295",
"ds22_48583"
]
},
"advancedOptions": {
"logging": {
"allowSampling": true,
"cookies": {
"type": "exclude",
"values": [
"_updated_By_SoapUI",
"w",
"NEW_VAL_ADDED_BY_SoapUI"
]
},
"customHeaders": {
"type": "only",
"values": [
"112",
"sdasd",
"ds"
]
},
"standardHeaders": {
"type": "only"
}
},
"prefetch": {
"allExtensions": false,
"enableAppLayer": true,
"enableRateControls": false,
"extensions": [
"cgi",
"jsp",
"EMPTY_STRING",
"aspx",
"php",
"py",
"asp"
]
},
"pragmaHeader": {
"action": "REMOVE",
"conditionOperator": "AND",
"override": true,
"excludeCondition": [
{
"header": "Expect",
"positiveMatch": true,
"type": "requestHeaderValueMatch",
"useHeaders": false,
"valueCase": true,
"valueWildcard": true,
"value": [
"dasd"
]
},
{
"positiveMatch": true,
"type": "networkList",
"useHeaders": true,
"valueCase": false,
"valueWildcard": false,
"value": [
"62569_AEPUAT1PARTNERSSTRICTWL"
]
}
]
}
},
"errorHosts": [
{
"reasonCode": 400,
"hostname": "business.example.com",
"reason": "property is not active in either production or staging"
},
{
"reasonCode": 403,
"hostname": "anotherhostname.example.com",
"reason": "You don't have access to this property"
}
],
"ratePolicies": [
{
"averageThreshold": 3,
"burstThreshold": 2,
"clientIdentifier": "",
"createDate": "2017-09-08T22:24:42Z",
"id": 672601,
"matchType": "path",
"name": "dsafsfdsf",
"pathMatchType": "RequestDisabled",
"pathUriPositiveMatch": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": true,
"type": "BOTMAN",
"updateDate": "2017-09-08T22:24:42Z",
"useXForwardForHeaders": false,
"used": false,
"queryParameters": [
{
"name": "dasdasdasd*",
"positiveMatch": true,
"valueInRange": false,
"values": [
"dasdasdas8*&^"
]
}
]
},
{
"averageThreshold": 1000,
"burstThreshold": 10,
"clientIdentifier": "ip",
"createDate": "2017-09-08T22:24:42Z",
"description": "These Shared Resources will be available to all policies within the Security Configuration",
"id": 672607,
"matchType": "path",
"name": "These Shared Resources will be available to all policies within the Security Configuration",
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": true,
"type": "WAF",
"updateDate": "2017-09-08T22:24:42Z",
"useXForwardForHeaders": false,
"used": true,
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "NetworkListCondition",
"values": [
"25620_REPUTATIONWHITELIST174",
"11212_BYPASSURR"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET",
"HTTP_DELETE"
]
},
{
"positiveMatch": true,
"type": "UserAgentCondition",
"values": [
"MOZILLA",
"Googlebot"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET",
"POST",
"HEAD"
]
},
{
"positiveMatch": true,
"type": "ResponseStatusCondition",
"values": [
"400",
"401",
"402",
"403",
"404",
"405",
"406",
"407",
"408",
"409",
"410",
"500",
"501",
"502",
"503",
"504"
]
}
],
"queryParameters": [
{
"name": "param1",
"positiveMatch": false,
"valueInRange": true,
"values": [
"value1"
]
}
]
}
],
"reputationProfiles": [
{
"context": "SCANTL",
"contextReadable": "Scanning Tools",
"enabled": true,
"id": 210588,
"name": "Scanning Tools (Low Threat)",
"threshold": 5
},
{
"context": "WEBATCK",
"contextReadable": "Web Attackers",
"enabled": false,
"id": 210578,
"name": "Web Attackers (Low Threat)",
"threshold": 5,
"condition": {
"canDelete": false,
"configVersionId": 152889,
"id": 88112456,
"name": "Cloned of 87956156 for version 152889",
"positiveMatch": true,
"uuid": "SEC_COND_88112456",
"version": 1504909482545,
"atomicConditions": [
{
"className": "RequestHeaderCondition",
"index": 1,
"nameWildcard": false,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": false,
"name": [
"test*"
],
"value": [
"test*"
]
},
{
"className": "RequestHeaderCondition",
"index": 2,
"nameWildcard": true,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": true,
"name": [
"Head",
"Header"
],
"value": [
"Header value"
]
},
{
"checkIps": "connecting",
"className": "NetworkListCondition",
"index": 3,
"positiveMatch": true,
"value": [
"14121_IMAGEMANAGERSERVERS"
]
},
{
"className": "RequestCookieCondition",
"index": 4,
"name": "cookieName",
"nameCase": false,
"nameWildcard": true,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": true,
"value": [
"cookieValue"
]
},
{
"checkIps": "connecting",
"className": "AsNumberCondition",
"index": 5,
"positiveMatch": true,
"value": [
"5"
]
}
]
}
}
],
"customRules": [
{
"configId": 77653,
"id": 776532,
"name": "UXR-715 RE2 Second Test with Flags",
"ruleActivated": false,
"structured": true,
"version": 1,
"tag": [
"tagfor",
"17.2"
],
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET"
]
}
]
},
{
"configId": 77653,
"description": "Test CR",
"id": 600001,
"name": "Test CR",
"ruleActivated": false,
"structured": true,
"version": 1,
"tag": [
"Test",
"Tag"
],
"conditions": [
{
"type": "extensionMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": false,
"value": [
"fdf"
]
}
]
},
{
"configId": 77653,
"description": "Test CR",
"id": 600006,
"name": "Test CR",
"ruleActivated": false,
"structured": true,
"version": 1,
"tag": [
"k"
],
"conditions": [
{
"type": "cookieMatch",
"name": "kids",
"nameCase": true,
"nameWildcard": false,
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"dsds",
"dasdqw",
"dsa",
"dqwd",
"csqw"
]
}
]
},
{
"configId": 77653,
"id": 606713,
"name": "Test",
"ruleActivated": false,
"structured": true,
"version": 1,
"tag": [
"adsa"
],
"conditions": [
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/login"
]
}
]
},
{
"configId": 77653,
"description": "Test CR",
"id": 690265,
"name": "Test CR2",
"ruleActivated": false,
"structured": true,
"version": 1,
"tag": [
"ee"
],
"conditions": [
{
"type": "argsPostMatch",
"name": "fvfv",
"positiveMatch": true,
"value": [
"fgbr"
]
},
{
"type": "requestHeaderMatch",
"nameWildcard": true,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": true,
"name": [
"test"
],
"value": [
"test1"
]
}
]
},
{
"configId": 77653,
"id": 667825,
"inspectRequest": false,
"inspectResponse": false,
"metadata": "<match:variable name=\"MY_SAMPLE_THREAT_DETECTED\" result=\"true\" value=\"execute rule\">\n<match:regex impl=\"re2\" regex=\"^\\d+$\" result=\"false\" select=\"REQUEST_HEADERS:Content-Length\" strict-err-check-re2=\"on\" transform=\"urlDecodeUni\">\n<security:firewall.action>\n<msg>UXR-715 CRB Metadata testing</msg>\n<tag>CUSTOM/TEST</tag>\n<id>667825</id>\n<deny>%(WAF_CUSTOM_R667825_DENY)</deny>\n<data>threat indicated from data %(MY_SAMPLE_THREAT_DETECTED)</data>\n<http-status>403</http-status>\n</security:firewall.action>\n</match:regex>\n</match:variable>\n",
"name": "UXR-715 RE27890",
"ruleActivated": false,
"structured": false,
"version": 1
}
],
"rulesets": [
{
"id": 41,
"rulesetVersionId": 327550,
"type": "Kona",
"releaseDate": "2017-04-21T16:00:38Z",
"attackGroups": [
{
"group": "DDOS",
"groupName": "Anomaly Score Exceeded for DDoS",
"threshold": 5
},
{
"group": "IN",
"groupName": "Anomaly Score Exceeded for Inbound",
"threshold": 30
},
{
"group": "SQL",
"groupName": "Anomaly Score Exceeded for SQL Injection",
"threshold": 19
},
{
"group": "TROJAN",
"groupName": "Anomaly Score Exceeded for Trojan",
"threshold": 4
},
{
"group": "XSS",
"groupName": "Anomaly Score Exceeded for Cross-Site Scripting",
"threshold": 9
}
],
"rules": [
{
"id": 699989,
"inspectRequestBody": false,
"inspectResponseBody": false,
"ruleVersion": 1,
"score": 5,
"tag": "<AKAMAI/PRAGMA_DEFLECTION>",
"title": "Akamai-X debug Pragma header detected and removed"
},
{
"id": 699990,
"inspectRequestBody": false,
"inspectResponseBody": false,
"ruleVersion": 1,
"score": 5,
"tag": "<AKAMAI/EDGESCAPE_ANONYMOUS_PROXY_v1>",
"title": "Detected request from anonymous proxy"
},
{
"id": 981252,
"inspectRequestBody": true,
"inspectResponseBody": false,
"ruleVersion": 4,
"score": 5,
"tag": "<OWASP_CRS/WEB_ATTACK/SQL_INJECTION>",
"title": "MySQL Charset Switch and MSSQL DoS Attempts",
"attackGroups": [
"SQL",
"IN"
]
},
{
"id": 3000060,
"inspectRequestBody": true,
"inspectResponseBody": false,
"ruleVersion": 2,
"score": 1000,
"tag": "<AKAMAI/AUTOMATION/MALICIOUS>",
"title": "Mirai / Kaiten DDoS Detection - HTTP Attacks",
"attackGroups": [
"IN",
"DDOS"
]
},
{
"id": 3000061,
"inspectRequestBody": true,
"inspectResponseBody": false,
"ruleVersion": 1,
"score": 5,
"tag": "<AKAMAI/WEB_ATTACK/XSS>",
"title": "Referer Header From OpenBugBounty Website - Potential XSS",
"attackGroups": [
"XSS",
"IN"
]
}
]
}
],
"securityPolicies": [
{
"id": "qik2_38799",
"name": "Generated Quick Policy - 4/10/17 7:13:18 PM GMT",
"hasRatePolicyWithApiKey": false,
"pragmaHeader": {
"action": "REMOVE",
"conditionOperator": "AND",
"override": true,
"excludeCondition": [
{
"header": "Expect",
"positiveMatch": true,
"type": "requestHeaderValueMatch",
"useHeaders": false,
"valueCase": true,
"valueWildcard": true,
"value": [
"dasd"
]
},
{
"positiveMatch": true,
"type": "networkList",
"useHeaders": true,
"valueCase": false,
"valueWildcard": false,
"value": [
"62569_AEPUAT1PARTNERSSTRICTWL"
]
}
]
},
"networkLayerControls": {
"block": "blockSpecificIPGeo",
"geoControls": {
"blockedIPNetworkLists": {
"additional": [
"AF",
"AS"
],
"networkList": [
"4389_BLANKLIST"
]
}
},
"slowPost": {
"action": "alert",
"durationThreshold": {
"timeout": 5
},
"slowRateThreshold": {
"rate": 10,
"period": 60
}
},
"ipControls": {
"allowedIPNetworkLists": {
"additional": [
"198.51.100.147"
],
"networkList": [
"12801_25000",
"19440_1671"
]
},
"blockedIPNetworkLists": {
"additional": [
"192.0.2.1"
],
"networkList": [
"16656_CPISERVERS",
"18460_166RELEASETESTING"
]
}
}
},
"ruleActions": [
{
"action": "alert",
"id": 960912,
"rulesetVersionId": 327550
},
{
"action": "alert",
"id": 960035,
"rulesetVersionId": 327550
},
{
"action": "alert",
"id": 981300,
"rulesetVersionId": 327550
},
{
"action": "deny",
"id": 3000001,
"rulesetVersionId": 327550
},
{
"action": "alert",
"id": 970903,
"rulesetVersionId": 327550,
"exception": {
"values": [
"test",
"sdfasf"
],
"selectors": [
{
"type": "GENERIC",
"selector": "REQUEST_COOKIES"
},
{
"type": "EXACT",
"name": "cccx",
"selector": "XML_PAIRS",
"value": "vvv"
},
{
"type": "GENERIC",
"selector": "REQUEST_COOKIES"
},
{
"type": "GENERIC",
"selector": "ARGS"
}
]
},
"conditions": [
{
"type": "hostMatch",
"positiveMatch": true,
"hosts": [
"www.example.com",
"*.example.com"
]
},
{
"type": "pathMatch",
"positiveMatch": false,
"paths": [
"/a/d",
"/test/"
]
},
{
"type": "uriQueryMatch",
"caseSensitive": false,
"name": "test",
"nameCase": false,
"positiveMatch": false,
"value": "value",
"wildcard": false
},
{
"type": "requestHeaderMatch",
"header": "user-agent",
"positiveMatch": false,
"value": "test-agent-*",
"valueCase": false,
"valueWildcard": true
}
]
}
],
"attackGroupActions": [
{
"action": "deny",
"group": "SQL",
"rulesetVersionId": 327550,
"exception": {
"specificHeaderCookieParamXmlOrJsonNames": [
{
"selector": "REQUEST_HEADERS_NAMES",
"wildcard": true
},
{
"selector": "REQUEST_HEADERS",
"wildcard": true,
"names": [
"test"
]
},
{
"selector": "REQUEST_COOKIES_NAMES",
"wildcard": true
},
{
"selector": "REQUEST_COOKIES",
"wildcard": true,
"names": [
"XSRF_TOKEN"
]
},
{
"selector": "ARGS_NAMES",
"wildcard": true
},
{
"selector": "ARGS",
"wildcard": true,
"names": [
"value"
]
},
{
"selector": "JSON_NAMES",
"wildcard": true
},
{
"selector": "JSON_PAIRS",
"wildcard": true,
"names": [
"val"
]
},
{
"selector": "XML_PAIRS",
"wildcard": true,
"names": [
"test"
]
},
{
"selector": "REQUEST_PROTOCOL",
"wildcard": true
},
{
"selector": "REQUEST_METHOD",
"wildcard": true
},
{
"selector": "REQUEST_URI",
"wildcard": true
},
{
"selector": "QUERY_STRING",
"wildcard": true
},
{
"selector": "REQUEST_FILENAME",
"wildcard": true
},
{
"selector": "REQUEST_PATH_SEGMENT",
"wildcard": true
},
{
"selector": "REQUEST_BODY",
"wildcard": true
},
{
"selector": "REQBODY_PROCESSOR_ERROR",
"wildcard": true
},
{
"selector": "FILES_NAMES",
"wildcard": true
}
]
}
},
{
"action": "deny",
"group": "XSS",
"rulesetVersionId": 327550
},
{
"action": "deny",
"group": "IN",
"rulesetVersionId": 327550
}
],
"customRuleActions": [
{
"action": "deny",
"id": 628035
},
{
"action": "alert",
"id": 628037
}
],
"reputationProfileActions": [
{
"action": "alert",
"id": 281778
},
{
"action": "deny",
"id": 210588
}
],
"ratePolicyActions": [
{
"id": 0,
"ipv4Action": "alert",
"ipv6Action": "deny"
},
{
"id": 0,
"ipv4Action": "alert",
"ipv6Action": "none"
}
]
},
{
"id": "qqqq_39297",
"name": "qqqqqq",
"hasRatePolicyWithApiKey": false
},
{
"id": "178t_48704",
"name": "Copy of Tet-a-Tet with 17.8",
"hasRatePolicyWithApiKey": false,
"networkLayerControls": {
"block": "blockSpecificIPGeo",
"ipControls": {
"blockedIPNetworkLists": {
"networkList": [
"24321_TESTNW"
]
}
}
},
"apiRequestConstraints": {
"action": "",
"apiEndpoints": [
{
"id": 1941,
"action": "alert"
},
{
"id": 1942,
"action": "alert"
},
{
"id": 1943,
"action": "alert"
}
]
},
"reputationProfileActions": [
{
"action": "alert",
"id": 281778
},
{
"action": "alert",
"id": 281776
}
]
}
]
}
Run List configurations and select a
configId.Run List configuration versions and select a
versionNumber.Make a GET request to
/appsec/.v1/ export/ configs/ {configId}/ versions/ {versionNumber}
The response is a Configuration object containing all configured hostnames, match targets, and custom rules.
Data
This section provides you with the data model for the Application Security API.
Download the JSON schemas for this API.
This section’s data schema tables list membership requirements as follows:
| ✓ | Member is required in requests, or always present in responses, even if its value is empty or null. |
| ○ | Member is optional, and may be omitted in some cases. |
| ✗ | Member is out of scope, and irrelevant to the specified interaction context. If you include the member in that context, it either triggers an error, or is ignored. |
Configuration
Contains details about a security configuration.
Download schema:
configListing.json
Sample GET response:
{
"configurations": [
{
"id": 22330,
"latestVersion": 5,
"name": "CaroTestTransition2Versioning",
"description": "(user notes)"
},
{
"id": 7180,
"latestVersion": 9,
"name": "Corporate Sites WAF",
"productionVersion": 1,
"stagingVersion": 2,
"productionHostnames": [
"example.com",
"www.example.net",
"m.example.com"
]
}
]
}
Configuration members
| Member | Type | Required | Description |
|---|---|---|---|
Configuration: Contains details about a security configuration. |
|||
description |
String | ○ | Describes the security configuration. |
id |
Integer | ✓ | Uniquely identifies the security configuration. |
latestVersion |
Integer | ✓ | The latest version of the security configuration. |
name |
String | ✓ | The security configuration name. |
production |
Array | ○ | The list of hostnames protected by this security configuration in the production network. |
production |
Integer | ○ | The latest security configuration version active in the production network. |
stagingVersion |
Integer | ○ | The latest security configuration version active in the staging network. |
RenameConfiguration
Contains details of a security configuration.
Download schema:
configRename.json
Sample PUT request:
{
"name": "newapitest",
"description": "description1"
}
RenameConfiguration members
| Member | Type | Required | Description |
|---|---|---|---|
RenameConfiguration: Contains details of a security configuration. |
|||
description |
String | ○ | Describes the security configuration. |
name |
String | ✓ | The name you assigned to the security configuration. |
ContractGroup
Specifies contracts and groups that have Kona Site Defender or Web Application Firewall.
Download schema:
contractGroups.json
Sample GET response:
{
"contract_groups": [
{
"contractId": "F-I5PAH1",
"displayName": "Main Street Corporation ",
"groupId": 42085
},
{
"contractId": "F-I5PAH1",
"displayName": "AltQ",
"groupId": 51308
},
{
"contractId": "F-I5PAH1",
"displayName": "BV QA",
"groupId": 41118
}
]
}
ContractGroup members
| Member | Type | Required | Description |
|---|---|---|---|
ContractGroup: Specifies contracts and groups that have Kona Site Defender or Web Application Firewall. |
|||
contractId |
String | ○ | A unique identifier for a contract. |
displayName |
String | ○ | The display name for a contract group pair. |
groupId |
Integer | ○ | A unique identifier for a group. |
VersionList
Contains details about a security configuration’s versions.
Download schema:
wafConfigVersionListDto.json
Sample GET response:
{
"totalSize": 3,
"pageSize": 3,
"page": 1,
"configId": 48579,
"configName": "TestConfig",
"stagingExpediteRequestId": 5861,
"productionExpediteRequestId": 6951,
"productionActiveVersion": 9,
"stagingActiveVersion": 8,
"lastCreatedVersion": 9,
"versionList": [
{
"version": 9,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:58:52Z",
"createdBy": "user1",
"basedOn": 8,
"production": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
},
"staging": {
"status": "Inactive"
}
},
{
"version": 8,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:41:52Z",
"createdBy": "user2",
"basedOn": 7,
"production": {
"status": "Inactive"
},
"staging": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
}
},
{
"version": 7,
"versionNotes": "Membership Benefits",
"createDate": "2013-08-07T17:41:52Z",
"createdBy": "user3",
"production": {
"status": "Inactive"
},
"staging": {
"status": "Inactive"
}
}
]
}
VersionList members
| Member | Type | Required | Description |
|---|---|---|---|
VersionList: Contains details about a security configuration’s versions. |
|||
configId |
Integer | ✓ | Uniquely identifies the security configuration. |
configName |
String | ✓ | The name you assigned to the security configuration. |
last |
Integer | ✓ | The version number of the security configuration that you created most recently. |
page |
Integer | ✓ | The current page number. |
pageSize |
Integer | ✓ | Represents the number of items per page. |
production |
Integer | ○ | The version number of the security configuration that is currently active on the production network. |
production |
Integer | ○ | Uniquely identifies the expedite activation request of the configuration version on the production network. |
staging |
Integer | ○ | The version number of the security configuration that is currently active on the staging network. |
staging |
Integer | ○ | Uniquely identifies the expedite activation request of the configuration version on the staging network. |
totalSize |
Integer | ✓ | The total number of configuration versions. |
versionList |
Version array | ○ | The security configuration’s versions. |
Version
Contains configuration version details.
Download schema:
wafConfigVersionDto.json
Sample full GET response:
{
"configId": 48579,
"configName": "TestConfig",
"version": 2,
"versionNotes": "Membership Benefits",
"createDate": "2013-10-07T17:58:52Z",
"createdBy": "user1",
"basedOn": 1,
"production": {
"status": "Active",
"time": "2014-07-08T07:40:00Z"
},
"staging": {
"status": "Inactive"
}
}
Version members
| Member | Type | Required | Description |
|---|---|---|---|
Version: Contains configuration version details. |
|||
basedOn |
Integer | ○ | Read-only. The version from which you cloned this version. |
configId |
Integer | ✓ | Read-only. Uniquely identifies the security configuration. |
configName |
String | ✓ | The security configuration name. |
createDate |
String | ○ | Read-only. The date when you created the configuration version. |
createdBy |
String | ○ | Read-only. The user who created the configuration version. |
production |
Version. |
✓ | Read-only. The activation status of the configuration version in the production network. |
staging |
Version. |
✓ | Read-only. The activation status of the configuration version in the staging network. |
version |
Integer | ✓ | The security configuration version. |
versionNotes |
String | ○ | The notes you entered for the configuration version. |
Version.production: The activation status of the configuration version in the production network. |
|||
action |
Enumeration | ○ | The action taken on the configuration version. Either ACTIVATE or DEACTIVATE. |
status |
Enumeration | ✓ | The activation status, either Pending, Active, Inactive, Deactivated, or Failed. |
time |
String | ○ | The activation time. |
Version.staging: The activation status of the configuration version in the staging network. |
|||
action |
Enumeration | ○ | The action taken on the configuration version. Either ACTIVATE or DEACTIVATE. |
status |
Enumeration | ✓ | The activation status, either Pending, Active, Inactive, Deactivated, or Failed. |
time |
String | ○ | The ISO 8601 time stamp indicating the activation time. |
VersionNotes
Specifies the setting for a version note update request.
Download schema:
versionNotesSetRequest.json
VersionNotes members
| Member | Type | Required | Description |
|---|---|---|---|
VersionNotes: Specifies the setting for a version note update request. |
|||
notes |
String | ○ | The version notes. |
ConfigurationClone
Specifies the settings for a new clone of a security configuration.
Download schema:
configCloneCreate.json
Sample POST request:
{
"createFromVersion": 1,
"ruleUpdate": false
}
ConfigurationClone members
| Member | Type | Required | Description |
|---|---|---|---|
ConfigurationClone: Specifies the settings for a new clone of a security configuration. |
|||
create |
Integer | ✓ | The configuration version to clone from. |
ruleUpdate |
Boolean | ✓ | Specifies whether the application rules should be migrated to the latest version. |
SelectableHostnames
Contains the list of hostnames available for protection and its details.
Download schema:
hostInfoInConfiguration.json
Sample GET response:
{
"configId": 123,
"configVersion": 2,
"protectARLInclusionHost": true,
"availableSet": [
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 77653,
"configNameInProduction": "WAF Security File",
"hostname": "example.com"
},
{
"arlInclusion": true,
"activeInProduction": false,
"activeInStaging": true,
"configIdInProduction": 51074,
"configNameInProduction": "A PUBLIC CONFIG",
"hostname": "www.example.com"
},
{
"arlInclusion": true,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 65473,
"configNameInProduction": "Other Security Configuration",
"hostname": "www.example-123.com"
}
],
"errorSet": [
{
"hostname": "*.example.net",
"reason": "property is not active in either production or staging",
"reasonCode": 400
},
{
"hostname": "test-example.net",
"reason": "You don't have access to this property",
"reasonCode": 403
}
],
"selectedSet": [
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": 11887,
"configNameInProduction": "Rbac Test Config",
"hostname": "m.example.com"
},
{
"arlInclusion": false,
"activeInProduction": true,
"activeInStaging": true,
"configIdInProduction": null,
"configNameInProduction": null,
"hostname": "m.example-123.com"
}
]
}
SelectableHostnames members
| Member | Type | Required | Description |
|---|---|---|---|
SelectableHostnames: Contains the list of hostnames available for protection and its details. |
|||
availableSet |
Set array | ○ | The available hosts set for the current user. |
configId |
Integer | ✓ | Uniquely identifies the security configuration. |
configVersion |
Integer | ✓ | The security configuration version. |
errorSet |
Selectable |
○ | The requested hosts aren’t available in this configuration version. |
protect |
Boolean | ✓ | Whether the host defined in the ARL file has legacy WAF enabled in the configuration. |
selectedSet |
Set array | ○ | The selected set of hostnames in this configuration version. |
SelectableHostnames.errorSet[]: The requested hosts aren’t available in this configuration version. |
|||
hostname |
String | ✓ | The hostname that triggers an error. |
reason |
String | ✓ | The reason why the hosts aren’t protectable in this configuration version. |
reasonCode |
Integer | ✓ | The error status code for the hostname. |
Set
Contains details about the hostname and its status.
Download schema:
hostNameObject.json
Set members
| Member | Type | Required | Description |
|---|---|---|---|
Set: Contains details about the hostname and its status. |
|||
active |
Boolean | ○ | Whether the hostname is active in the production network. |
activeInStaging |
Boolean | ○ | Whether the hostname is active in the staging network. |
arlInclusion |
Boolean | ○ | Whether the hostname is Akamai Resource Locator (ARL) included. |
config |
Integer | ○ | Uniquely identifies the configuration that protects the hostname. |
config |
String | ○ | The name of the configuration that protects the hostname. |
hostname |
String | ✓ | The hostname. |
SelectedHostnames
Contains a list of selected hostnames for the specified configuration version.
Download schema:
hostnameList.json
Sample GET response:
{
"mode": "append",
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
SelectedHostnames members
| Member | Type | Required | Description |
|---|---|---|---|
SelectedHostnames: Contains a list of selected hostnames for the specified configuration version. |
|||
hostnameList |
Selected |
✓ | The list of hostnames for a configuration version. |
mode |
Enumeration | ○ | The type of update you want to make to the evaluation hostname list. Use append to add additional hostnames, remove to delete the hostnames from the list, or replace to replace the existing list with the hostnames you pass in your request. |
SelectedHostnames.hostnameList[]: The list of hostnames for a configuration version. |
|||
hostname |
String | ✓ | The hostname on which to match the request. |
SecurityPolicy
Specifies the details of a security policy.
Download schema:
securityPolicyDto.json
Sample POST response:
{
"configId": 51074,
"version": 8,
"policies": [
{
"policyId": "NN3_61",
"policyName": "NN FW 3",
"hasRatePolicyWithApiKey": true,
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": true,
"applyApiConstraints": false,
"applySlowPostControls": false
}
},
{
"policyId": "NN_2",
"policyName": "NN FW 1",
"hasRatePolicyWithApiKey": false,
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": false,
"applyApiConstraints": false,
"applySlowPostControls": false
}
},
{
"policyId": "NN-2_3",
"policyName": "NN FW 2",
"hasRatePolicyWithApiKey": true,
"policySecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": false,
"applyBotmanControls": false,
"applyApiConstraints": false,
"applySlowPostControls": false
}
}
]
}
SecurityPolicy members
| Member | Type | Required | Description |
|---|---|---|---|
SecurityPolicy: Specifies the details of a security policy. |
|||
configId |
Integer | ○ | Uniquely identifies the security configuration. |
has |
Boolean | ✓ | Indicates whether this security policy has a rate policy which has API_KEY as a client identifier. APIs are managed using the API Endpoint Definition API. |
policyId |
String | ✓ | Uniquely identifies the security policy. |
policyName |
String | ✓ | The name of the security policy. |
policy |
Security |
✓ | The status of security controls defined in the security policy. |
version |
Integer | ○ | The version number of the security configuration. |
SecurityPolicyClone
Specifies the settings for a new clone of a security policy.
Download schema:
securityPolicyCloneRequest.json
Sample POST request:
{
"createFromSecurityPolicy": "1_35752",
"policyName": "Open Cloned IV 2",
"policyPrefix": "bt17"
}
SecurityPolicyClone members
| Member | Type | Required | Description |
|---|---|---|---|
SecurityPolicyClone: Specifies the settings for a new clone of a security policy. |
|||
create |
String | ○ | The unique identifier (policyId) of the source policy to create the new policy from. |
defaultSettings |
String | ○ | The default settings on the policy. If not provided, the defaultSettings is true. |
policyName |
String | ○ | The name of the security policy. If not provided, the system generates a name automatically with the pattern ‘clone from |
policyPrefix |
String | ○ | The four-character alphanumeric string prefix for the policyId. If not provided, the prefix is autogenerated. |
source |
String | ○ | The source for the new the policy. If not provided, the source is blank. Other values are ‘default’ or the source security policy Id. |
HeaderLog
Describes the security policy HTTP header-logging settings.
Download schema:
policyHttpHeaderLoggingSetRequest.json
Sample PUT request:
{
"override": true,
"allowSampling": true,
"cookies": {
"type": "all"
},
"customHeaders": {
"type": "exclude",
"values": [
"csdasdad"
]
},
"standardHeaders": {
"type": "only",
"values": [
"Accept"
]
}
}
HeaderLog members
| Member | Type | Required | Description |
|---|---|---|---|
HeaderLog: Describes the security policy HTTP header-logging settings. |
|||
allowSampling |
Boolean | ○ | Whether you enabled the header data sampling. |
cookies |
Header |
○ | When enabled, filter requests whose headers you log by cookie. |
customHeaders |
Header |
○ | When enabled, filter requests you log by custom headers you specify. |
override |
Boolean | ✓ | When enabled, your security configuration won’t log any header data for security events triggered by settings in the security configuration. |
standardHeaders |
Header |
○ | When enabled, filter requests you log by standard headers you specify. |
HeaderLog.cookies: When enabled, filter requests whose headers you log by cookie. |
|||
type |
Enumeration | ✓ | Use all to log headers for all requests with any standard header. Use none to exclude headers for any requests with any standard header from logging. Use exclude to exclude headers for requests with specific standard headers. Use only to include headers for requests with specific standard headers. |
values |
Array | ○ | List of headers to include or exclude depending on the type setting. |
HeaderLog.customHeaders: When enabled, filter requests you log by custom headers you specify. |
|||
type |
Enumeration | ✓ | Use all to log headers for all requests with any standard header. Use none to exclude headers for any requests with any standard header from logging. Use exclude to exclude headers for requests with specific standard headers. Use only to include headers for requests with specific standard headers. |
values |
Array | ○ | List of headers to include or exclude depending on the type setting. |
HeaderLog.standardHeaders: When enabled, filter requests you log by standard headers you specify. |
|||
type |
Enumeration | ✓ | Use all to log headers for all requests with any standard header. Use none to exclude headers for any requests with any standard header from logging. Use exclude to exclude headers for requests with specific standard headers. Use only to include headers for requests with specific standard headers. |
values |
Array | ○ | List of headers to include or exclude depending on the type setting. |
ConfigHeaderLog
The PUT Request JSON for HTTP Header Logging.
Download schema:
httpHeaderLoggingSetRequest.json
Sample PUT request:
{
"allowSampling": true,
"cookies": {
"type": "all"
},
"customHeaders": {
"type": "exclude",
"values": [
"csdasdad"
]
},
"standardHeaders": {
"type": "only",
"values": [
"Accept"
]
}
}
ConfigHeaderLog members
| Member | Type | Required | Description |
|---|---|---|---|
ConfigHeaderLog: The PUT Request JSON for HTTP Header Logging. |
|||
allowSampling |
Boolean | ✓ | Whether to enable HTTP Header logging |
cookies |
Config |
○ | Settings for cookie headers. |
customHeaders |
Config |
○ | Settings for custom headers. |
standardHeaders |
Config |
○ | Settings for standard headers. |
ConfigHeaderLog.cookies: Settings for cookie headers. |
|||
type |
Enumeration | ✓ | Use all to log headers for all requests with any standard header. Use none to exclude headers for any requests with any standard header from logging. Use exclude to exclude headers for requests with specific standard headers. Use only to include headers for requests with specific standard headers. |
values |
Array | ○ | List of headers to include or exclude depending on the type setting. |
ConfigHeaderLog.customHeaders: Settings for custom headers. |
|||
type |
Enumeration | ✓ | Use all to log headers for all requests with any standard header. Use none to exclude headers for any requests with any standard header from logging. Use exclude to exclude headers for requests with specific standard headers. Use only to include headers for requests with specific standard headers. |
values |
Array | ○ | List of headers to include or exclude depending on the type setting. |
ConfigHeaderLog.standardHeaders: Settings for standard headers. |
|||
type |
Enumeration | ✓ | Use all to log headers for all requests with any standard header. Use none to exclude headers for any requests with any standard header from logging. Use exclude to exclude headers for requests with specific standard headers. Use only to include headers for requests with specific standard headers. |
values |
Array | ○ | List of headers to include or exclude depending on the type setting. |
PrefetchRequest
The PUT Request JSON for Prefetch Requests.
Download schema:
prefetchRequestSetRequest.json, prefetchRequestGetSuccess.json
Sample PUT request:
{
"allExtensions": false,
"enableAppLayer": true,
"enableRateControls": false,
"extensions": [
"cgi",
"jsp",
"EMPTY_STRING",
"aspx",
"py",
"php",
"asp"
]
}
Sample GET response:
{
"allExtensions": false,
"enableAppLayer": true,
"enableRateControls": false,
"extensions": [
"cgi",
"jsp",
"EMPTY_STRING",
"aspx",
"py",
"php",
"asp"
]
}
PrefetchRequest members
| Member | Type | PUT | GET | Description |
|---|---|---|---|---|
PrefetchRequest: The PUT Request JSON for Prefetch Requests. |
||||
allExtensions |
Boolean | ○ | ✓ | Whether to enable prefetch requests for all extensions. |
enableAppLayer |
Boolean | ○ | ✓ | Whether to enable Prefetch Requests. |
enable |
Boolean | ○ | ✓ | Whether to enable Prefetch Requests for rate controls. |
extensions |
Array | ○ | ○ | List of extensions. |
InspectionLimit
Contains the size limits for a request body.
Download schema:
requestBodyDto.json
Sample PUT response:
{
"requestBodySizeInKB": 16
}
InspectionLimit members
| Member | Type | Required | Description |
|---|---|---|---|
InspectionLimit: Contains the size limits for a request body. |
|||
request |
Enumeration | ○ | Request body size in KB, either 8, 16, or 32 as string-formatted integers, or default to use Akamai’s best practice value. |
ThreatIntel
Describes operational settings for adaptive intelligence.
Download schema:
threatIntel.json
Sample PUT response:
{
"threatIntel": "on"
}
ThreatIntel members
| Member | Type | Required | Description |
|---|---|---|---|
ThreatIntel: Describes operational settings for adaptive intelligence. |
|||
action |
Enumeration | ○ | Set to on so our network analyzes a request and dynamically modifies protection methods to fit the detected threat level. Set to off to manually fine-tune your rule sets. |
PragmaHeader
Describes which headers you can exclude from inspection when you pass a Pragma debug header.
Download schema:
pragmaHeaderDto.json
Sample PUT request:
{
"action": "REMOVE",
"conditionOperator": "AND",
"excludeCondition": [
{
"type": "requestHeaderValueMatch",
"positiveMatch": true,
"header": "accept",
"valueCase": true,
"valueWildcard": true,
"value": [
"application/json",
"application/xml"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": false,
"value": [
"192.0.2.1",
"198.51.100.0/24"
]
},
{
"type": "networkList",
"positiveMatch": true,
"value": [
"123_3ALLOWEDIPS"
]
},
{
"type": "queryParamNameValueMatch",
"positiveMatch": true,
"name": "type",
"valueCase": true,
"valueWildcard": false,
"value": [
"type A",
"type B"
]
}
]
}
PragmaHeader members
| Member | Type | Required | Description |
|---|---|---|---|
PragmaHeader: Describes which headers you can exclude from inspection when you pass a Pragma debug header. |
|||
action |
Enumeration | ✓ | The action to perform when a user passes a Pragma header. The only action currently supported is REMOVE. |
condition |
Enumeration | ○ | Use OR to match any condition, or AND to match on all conditions. |
excludeCondition |
Pragma |
○ | The conditions to exclude from the default remove action. Any condition you set in this object appears in the Pragma header debug response object. |
PragmaHeader.excludeCondition[]: The conditions to exclude from the default remove action. Any condition you set in this object appears in the Pragma header debug response object. |
|||
header |
String | ○ | The name of the request header. In the example, accept. |
name |
String | ○ | The name of the request header to ignore from inspection. In the example, type. |
positiveMatch |
Boolean | ✓ | When true, matches the selected values. When false, matches on anything outside the selected values. |
type |
Enumeration | ✓ | The header value you want to appear in the response. You can choose from requestHeaderValueMatch, ipMatch, networkList, or queryParamNameValueMatch. |
useHeaders |
Boolean | ○ | Whether the condition should include the X-Forwarded-For header (XFF) header. This only applies when the condition type is IP_MATCH or NETWORK_LIST. |
value |
Array | ✓ | List of header values, query parameter values, IP addresses, or names of network lists. To manage networks lists, use the Network Lists API. |
valueCase |
Boolean | ○ | Whether to consider the case-sensitivity of the provided header value. This only applies when the condition type is REQUEST_HEADER_VALUE_MATCH. |
valueWildcard |
Boolean | ○ | Whether the provided header value includes wildcards, such as * or ?. This only applies to the REQUEST_HEADER_VALUE_MATCH condition type. |
HostnameCoverage
Describes the coverage status for hostnames.
Download schema:
hostnameCoverageGetSuccess.json
Sample GET response:
{
"hostnameCoverage": [
{
"status": "covered",
"hasMatchTarget": true,
"hostname": "hola.example.com.mx",
"policyNames": [
"Main Street Corporation Mexico"
],
"configuration": {
"id": 57415,
"name": "Main Street Corporation Mexico",
"version": 37
}
},
{
"status": "covered",
"hasMatchTarget": true,
"hostname": "apiwork.example.com",
"policyNames": [
"AAG Sites"
],
"configuration": {
"id": 55851,
"name": "WFSLTD and API gateway portal",
"version": 2
}
},
{
"status": "covered",
"hasMatchTarget": true,
"hostname": "www.example.com",
"policyNames": [
"Main Street Corporation Canada"
],
"configuration": {
"id": 74656,
"name": "Main Street Corporation Canada",
"version": 53
}
}
]
}
HostnameCoverage members
| Member | Type | Required | Description |
|---|---|---|---|
HostnameCoverage: Describes the coverage status for hostnames. |
|||
configuration |
Hostname |
○ | The configuration details for hostname coverage. |
hasMatchTarget |
Boolean | ✓ | Whether this hostname has a match target. Hostnames need at least one match target to be protected. |
hostname |
String | ✓ | The hostname. |
policyNames |
Array | ○ | The policy name. |
status |
Enumeration | ✓ | If covered, the hostname is protected by your security configuration. If not_covered, your hostname is not protected by your security configuration. |
HostnameCoverage.configuration: The configuration details for hostname coverage. |
|||
id |
Integer | ✓ | The configuration ID. |
name |
String | ✓ | The name of the configuration. |
version |
String | ✓ | The configuration version number. |
HostnameOverlap
Describes configurations that use the same hostname, causing overlapping coverage.
Download schema:
hostnameCoverageOverlappingGetSuccess.json
HostnameOverlap members
| Member | Type | Required | Description |
|---|---|---|---|
HostnameOverlap: Describes configurations that use the same hostname, causing overlapping coverage. |
|||
overLappingList |
Hostname |
○ | The list of configurations that overlap coverage for the hostname. |
HostnameOverlap.overLappingList[]: The list of configurations that overlap coverage for the hostname. |
|||
configId |
Integer | ✓ | The configuration ID. |
configName |
String | ✓ | The configuration name. |
configVersion |
Integer | ✓ | The configuration version. |
contractId |
String | ○ | The contract ID. |
contractName |
String | ○ | The contract name. |
hostnames |
Array | ○ | The version tag. |
SecurityControls
Describes the operational status of security controls.
Download schema:
securityControls.json
SecurityControls members
| Member | Type | Description |
|---|---|---|
SecurityControls: Describes the operational status of security controls. |
||
apply |
Boolean | Whether you enabled API constraints. |
apply |
Boolean | Whether you enabled application layer controls. |
apply |
Boolean | Whether you enabled Bot Manager controls. |
apply |
Boolean | Whether you enabled network layer controls. |
apply |
Boolean | Whether you enabled rate controls. |
apply |
Boolean | Whether you enabled reputation controls. |
apply |
Boolean | Whether you enabled slow post controls. |
Subscription
Specifies actions to subscribe a user to or remove a user from a subscription to tuning recommendation emails.
Download schema:
appsecConfigSubscriptionRequest.json
Sample POST request:
{
"action": "subscribe",
"emails": [
"subscriber1@email.example.com",
"subscriber2@email.example.com",
"subscriber3@email.example.com"
]
}
Subscription members
| Member | Type | Required | Description |
|---|---|---|---|
Subscription: Specifies actions to subscribe a user to or remove a user from a subscription to tuning recommendation emails. |
|||
action |
Enumeration | ✓ | Use subscribe to add user emails to the subscription. Use unsubscribe to remove them from the subscription. |
emails |
Array | ✓ | The user emails to add to or remove from subscription. |
Upgrade
Specifies KRS rule set upgrade details.
Download schema:
rulesGetUpgrade.json
Sample GET request:
{
"current": "KRS 1.0 (Apr 20, 2020)",
"evaluating": "KRS 1.0 (Mar 15, 2020)",
"latest": "KRS 1.0 (June 15, 2020)",
"KRSToEvalUpdates": {
"updatedRules": [
{
"id": 3000080,
"title": "Cross-site Scripting (XSS) Attack"
},
{
"id": 3000081,
"title": "PHP Injection Attack (Opening Tag)"
}
],
"newRules": [
{
"id": 3000082,
"title": "Cross-site Scripting (XSS) Attack: Attribute Injection"
},
{
"id": 3000083,
"title": "IE XSS Filters - Attack Detected"
}
]
},
"EvalToEvalUpdates": {
"newRules": [
{
"id": 3000090,
"title": "Cross-site Scripting (XSS) Attack: Attribute Injection"
}
]
},
"KRSToLatestUpdates": {
"deletedRules": [
{
"id": 3000048,
"title": "MSSQL Code Execution and Information Gathering Attempts"
}
],
"newRules": [
{
"id": 3000090,
"title": "Remote File Inclusion Attack"
},
{
"id": 3000091,
"title": "IE XSS Filters"
}
]
}
}
Upgrade members
| Member | Type | Required | Description |
|---|---|---|---|
Upgrade: Specifies KRS rule set upgrade details. |
|||
current |
String | ✓ | The version of the KRS rule set you currently have. |
eval |
Upgrade. |
✓ | Lists available updates to rules you’re currently evaluating but have not yet upgraded to. |
evaluating |
String | ✓ | The rule set you are currently evaluating. |
krsToEvalUpdates |
Upgrade. |
✓ | Lists any available updates for KRS rules. If the updatedRules array is empty, you have the latest available versions already. |
krs |
Upgrade. |
✓ | Lists any available KRS rule updates for rules that have been added, deleted, or modified. If you’re evaluating rules, these updates may be newer than rules you’re evaluating. |
latest |
String | ✓ | The latest available KRS rule set version. |
Upgrade.evalToEvalUpdates: Lists available updates to rules you’re currently evaluating but have not yet upgraded to. |
|||
deletedRules |
Rule array | ○ | The deleted rules. |
newRules |
Rule array | ○ | The new rules. |
updatedRules |
Rule array | ○ | The updated rules. |
Upgrade.krsToEvalUpdates: Lists any available updates for KRS rules. If the updatedRules array is empty, you have the latest available versions already. |
|||
deletedRules |
Rule array | ○ | The deleted rules. |
newRules |
Rule array | ○ | The new rules. |
updatedRules |
Rule array | ○ | The updated rules. |
Upgrade.krsToLatestUpdates: Lists any available KRS rule updates for rules that have been added, deleted, or modified. If you’re evaluating rules, these updates may be newer than rules you’re evaluating. |
|||
deletedRules |
Rule array | ○ | The deleted rules. |
newRules |
Rule array | ○ | The new rules. |
updatedRules |
Rule array | ○ | The updated rules. |
Rule
The updated rules.
Download schema:
rule.json
Rule members
| Member | Type | Required | Description |
|---|---|---|---|
Rule: The updated rules. |
|||
id |
Integer | ✓ | Uniquely identifies the rule. |
title |
String | ✓ | The rule title. |
EvalRule
The GET Response JSON for eval rule actions.
Download schema:
securityPolicyGetEvalRuleActionsSuccess.json, securityPolicySetEvalRuleActionRequest.json
Sample GET request:
{
"evalRuleActions": [
{
"action": "alert",
"id": 699989
},
{
"action": "alert",
"id": 699990
},
{
"action": "alert",
"id": 699991
},
{
"action": "alert",
"id": 699992
},
{
"action": "alert",
"id": 699993
},
{
"action": "alert",
"id": 699994
}
]
}
Sample PUT request:
{
"action": "alert"
}
EvalRule members
| Member | Type | GET | PUT | Description | ||||
|---|---|---|---|---|---|---|---|---|
EvalRule: The GET Response JSON for eval rule actions. |
||||||||
action |
Enumeration | ✗ | ✓ | The rule’s action, either alert, deny, or none. If the action is none, the rule is inactive in the policy. |
||||
evalRuleActions |
Eval |
○ | ✗ | Rule Action JSON Properties. | ||||
EvalRule.evalRuleActions[]: Rule Action JSON Properties. |
||||||||
action |
Enumeration | ✓ | ✗ | The list of rule actions, either alert, deny, or none. Use deny_custom_{custom_deny_id} to apply a custom action instead of Akamai’s default. Run Modify a custom deny action to manage your custom deny actions. If the action is none, the rule is inactive in the policy. |
||||
id |
Integer | ✓ | ✗ | The unique identifier for each rule. | ||||
EvalMode
Contains setting for eval mode action.
Download schema:
evalMode.json
Sample GET response:
{
"mode": "KRS",
"current": "KRS 1.0 (Apr 20, 2020)",
"eval": "enabled",
"evaluating": "KRS 1.0 (June 25, 2020)",
"expires": "2020-08-08T00:00:00Z"
}
EvalMode members
| Member | Type | Required | Description |
|---|---|---|---|
EvalMode: Contains setting for eval mode action. |
|||
eval |
Enumeration | ✓ | Set eval to start, stop, restart, complete, or update to manage the evaluation of new rules you want to test before you upgrade. If you set eval to start, restart, or update, the response object will have an eval value of enabled. The value is disabled for requests of stop or complete. For more information see Set evaluation mode. |
mode |
Enumeration | ○ | Optionally lets you specify between two Adaptive Security Engine (ASE) rule set types. Use ASE_AUTO for automatic updates to the ASE evaluation rules, or ASE_MANUAL to manually retrieve current evaluation rules. When not specified, the mode uses default settings. For a KRS 1.0 policy, that means using the KRS 1.0 rule set. |
EvalHostname
Contains a list of evaluation hostnames for the specified configuration version.
Download schema:
evalHostnames.json
Sample GET response:
{
"mode": "append",
"hostnames": [
"*.example.net",
"example.com",
"m.example.com"
]
}
EvalHostname members
| Member | Type | Required | Description |
|---|---|---|---|
EvalHostname: Contains a list of evaluation hostnames for the specified configuration version. |
|||
hostnames |
Array | ✓ | The hostnames on which to match the request. |
mode |
Enumeration | ○ | The type of update you want to make to the evaluation hostname list. You can append additional hostnames, remove hostnames from the list, or replace the existing list with the hostnames you pass in your request. |
Recommendation
Encapsulates data for Adaptive Security Engine exception recommendations.
Download schema:
recommendations.json
Sample GET request:
{
"evaluationPeriodStart": "2021-04-08T03:10:43Z",
"evaluationPeriodEnd": "2021-05-08T03:10:43Z",
"ruleRecommendations": [
{
"id": 100001,
"recommendations": [
{
"description": "Description for SQL",
"evidences": {
"hostnames": [
"www.yamanohi.jp"
]
},
"exceptions": [
{
"selectorId": 84220,
"selector": {
"type": "AAG_SPECIFIC",
"names": [
"JSON_PAIR_001"
],
"selector": "JSON_PAIRS",
"wildcard": true
}
}
]
}
],
"declinedRecommendations": [
{
"description": "100001 recommendation",
"exceptions": [
{
"selectorId": 19557,
"selector": {
"type": "AAG_SPECIFIC",
"names": [
"XML-PAIR-02-TEST"
],
"selector": "XML_PAIRS",
"wildcard": true
}
}
]
}
]
}
],
"attackGroupRecommendations": [
{
"group": "CMD",
"recommendations": [
{
"description": "This selector triggered on 3458 unique IPs over a period of 7 hours.",
"exceptions": [
{
"selectorId": 77,
"selector": {
"type": "AAG_SPECIFIC",
"selector": "REQUEST_HEADERS",
"names": [
"WWW-Exc_Header",
"WWW-Auth"
],
"wildcard": false,
"numberOfExceptions": 2,
"enhanced": false
}
}
]
}
]
},
{
"group": "SQL",
"recommendations": [
{
"description": "Recommendation for SQL",
"exceptions": [
{
"selectorId": 76,
"selector": {
"type": "AAG_SPECIFIC",
"selector": "ARGS_NAMES",
"names": null,
"wildcard": true,
"numberOfExceptions": 1,
"enhanced": false
}
}
]
}
]
}
]
}
Recommendation members
| Member | Type | Required | Description |
|---|---|---|---|
Recommendation: Encapsulates data for Adaptive Security Engine exception recommendations. |
|||
evaluation |
String | ○ | The ISO 8601 date your evaluation period ends. |
evaluation |
String | ○ | The ISO 8601 date your evaluation period starts. |
group |
Recommendation. |
○ | The Adaptive Security Engine recommended exceptions for your attack groups. |
rule |
Recommendation. |
○ | The exceptions for your rules recommended by Adaptive Security Engine. |
Recommendation.groupRecommendations[]: The Adaptive Security Engine recommended exceptions for your attack groups. |
|||
declined |
Recommendation. |
○ | Exception recommendations you previously chose to ignore. Run Respond to exception recommendations with a value of RESET if you want to undo your previous setting. |
group |
String | ○ | The unique identifier for an attack group. |
recommendations |
Recommendation. |
○ | Describes the the recommended exception values. |
Recommendation.groupRecommendations[].declinedRecommendations[]: Exception recommendations you previously chose to ignore. Run Respond to exception recommendations with a value of RESET if you want to undo your previous setting. |
|||
description |
String | ○ | Describes why the proposed tuning exception is recommended. |
evidences |
String | ○ | Provides additional information about the recommendation. |
exceptions |
Recommendation. |
○ | Conditionally exclude requests from inspection. |
Recommendation.groupRecommendations[].declinedRecommendations[].exceptions[]: Conditionally exclude requests from inspection. |
|||
recommendationId |
Number | ○ | The unique identifier for the recommendation. |
selector |
Recommendation. |
○ | Identifies the part of the request to exclude. |
selectorId |
Number | ○ | The unique identifier for the selector referenced in the recommendation. |
Recommendation.groupRecommendations[].declinedRecommendations[].exceptions[].selector: Identifies the part of the request to exclude. |
|||
enhanced |
Boolean | ✓ | Whether the exception recommendations are for enhanced selectors. |
number |
Integer | ○ | The number of exceptions Adaptive Security Engine recommends. |
selector |
Enumeration | ○ | Identifies the part of the request to exclude. See Selector type values for available values. |
type |
Enumeration | ○ | Identifies the part of the request to exclude. See Selector type values for available values. |
Recommendation.groupRecommendations[].recommendations[]: Describes the the recommended exception values. |
|||
description |
String | ○ | Describes why the proposed tuning exception is recommended. |
evidences |
String | ○ | Provides additional information about the recommendation. |
exceptions |
Recommendation. |
○ | Conditionally exclude requests from inspection. |
Recommendation.groupRecommendations[].recommendations[].exceptions[]: Conditionally exclude requests from inspection. |
|||
recommendationId |
Number | ○ | The unique identifier for the recommendation. |
selector |
Recommendation. |
○ | Identifies the part of the request to exclude. |
selectorId |
Number | ○ | The unique identifier for the selector referenced in the recommendation. |
Recommendation.groupRecommendations[].recommendations[].exceptions[].selector: Identifies the part of the request to exclude. |
|||
enhanced |
Boolean | ✓ | Whether the exception recommendations are for enhanced selectors. |
number |
Integer | ○ | The number of exceptions Adaptive Security Engine recommends. |
selector |
Enumeration | ○ | Identifies the part of the request to exclude. See Selector type values for available values. |
type |
Enumeration | ○ | Identifies the part of the request to exclude. See Selector type values for available values. |
Recommendation.ruleRecommendations[]: The exceptions for your rules recommended by Adaptive Security Engine. |
|||
declined |
Recommendation. |
○ | Exception recommendations you previously chose to ignore. Run Respond to exception recommendations with a value of RESET if you want to undo your previous setting. |
id |
Number | ○ | The unique identifier for a rule. In other operations, you may see this as a ruleId. |
recommendations |
Recommendation. |
○ | Describes the the recommended exception values. |
Recommendation.ruleRecommendations[].declinedRecommendations[]: Exception recommendations you previously chose to ignore. Run Respond to exception recommendations with a value of RESET if you want to undo your previous setting. |
|||
description |
String | ○ | Describes why the proposed tuning exception is recommended. |
evidences |
String | ○ | Provides additional information about the recommendation. |
exceptions |
Recommendation. |
○ | Conditionally exclude requests from inspection. |
Recommendation.ruleRecommendations[].declinedRecommendations[].exceptions[]: Conditionally exclude requests from inspection. |
|||
recommendationId |
Number | ○ | The unique identifier for the recommendation. |
selector |
Recommendation. |
○ | Identifies the part of the request to exclude. |
selectorId |
Number | ○ | The unique identifier for the selector referenced in the recommendation. |
Recommendation.ruleRecommendations[].declinedRecommendations[].exceptions[].selector: Identifies the part of the request to exclude. |
|||
enhanced |
Boolean | ✓ | Whether the exception recommendations are for enhanced selectors. |
number |
Integer | ○ | The number of exceptions Adaptive Security Engine recommends. |
selector |
Enumeration | ○ | Identifies the part of the request to exclude. See Selector type values for available values. |
type |
Enumeration | ○ | Identifies the part of the request to exclude. See Selector type values for available values. |
Recommendation.ruleRecommendations[].recommendations[]: Describes the the recommended exception values. |
|||
description |
String | ○ | Describes why the proposed tuning exception is recommended. |
evidences |
String | ○ | Provides additional information about the recommendation. |
exceptions |
Recommendation. |
○ | Conditionally exclude requests from inspection. |
Recommendation.ruleRecommendations[].recommendations[].exceptions[]: Conditionally exclude requests from inspection. |
|||
recommendationId |
Number | ○ | The unique identifier for the recommendation. |
selector |
Recommendation. |
○ | Identifies the part of the request to exclude. |
selectorId |
Number | ○ | The unique identifier for the selector referenced in the recommendation. |
Recommendation.ruleRecommendations[].recommendations[].exceptions[].selector: Identifies the part of the request to exclude. |
|||
enhanced |
Boolean | ✓ | Whether the exception recommendations are for enhanced selectors. |
number |
Integer | ○ | The number of exceptions Adaptive Security Engine recommends. |
selector |
Enumeration | ○ | Identifies the part of the request to exclude. See Selector type values for available values. |
type |
Enumeration | ○ | Identifies the part of the request to exclude. See Selector type values for available values. |
Recommendation selector values
Selectors are segments of a request that Web Application Protector rules look in for attacks, which means no rule applies to an entire request all at once but by selector segment. You can use these selectors to add exceptions to your security policy rules. You can add exceptions to your rules if you know that the rules are throwing false positives, or you want to omit parts of a request from inspection.
For example:
Host: www.fakehostexample.com
Accept: application/json
Cookies: foo=examplecookie
{"first":1, "second":2, "third":3}
The following values are available for the selector string
enumeration for both recommendations and declined
recommendations:
| Value | Description |
|---|---|
ARGS |
A generic alias for the query string existing in both the body or the URL. Use this selector to match either the body or the URL. |
ARGS_NAMES |
Argument names. In the example, session and fakeName. |
FILES_NAMES |
Name of MIME-encoded filename within a mime-encoded body to exclude from inspection. |
JSON_NAMES |
The name of the JSON member. In the example, first, second, and third. |
JSON_PAIRS |
Name/value pairs in JSON the body. On its own, bypass network does all of them, JSON_PAIRS:"name of json key" excludes that specific JSON name/value pair from inspection. In the example, "first":1, "second":2, and "third":3. |
QUERY_STRING |
In the example, 1?session=3&name=fakeName. |
REQBODY_PROCESSOR_ERROR |
Whether an error occurred processing the request. Errors often indicate suspicious activity. It’s a good idea to inspect this element, and not exclude it from inspection. |
REQUEST_BODY |
The entire body of the request. In the example, {"first":1, "second":2, "third":3} |
REQUEST_COOKIES |
The request cookie name-value pair. In the example,foo=examplecookie. |
REQUEST_COOKIES_NAMES |
The request cookie name value. In the example, foo. |
REQUEST_FILENAME |
The file name to exclude from inspection. In the example, my-file-name.mp3. |
REQUEST_HEADERS |
The name and value of the request header. In the example, Host:www.fakehostexample.com and Accept:application/json. |
REQUEST_HEADERS_NAMES |
The name of the request header to exclude from inspection. In the example, Host and Accept. |
REQUEST_METHOD |
The request method to exclude from inspection. In the example, GET. |
REQUEST_PATH_SEGMENT |
The part of the path you specify. For example, /one/two/three/. Use *to include the whole path. |
REQUEST_PROTOCOL |
The request protocol to exclude from inspection. In the example, http. |
REQUEST_URI |
The full URL segment without the request method. In the example, /one/two/three/four/my-file-name.mp3?session=3&name=fakeName. |
VALUES |
The value you want to exclude when it appears in a header, cookie, or parameter. |
XML_PAIRS |
Name/value pairs in XML body. |
RecommendationAction
The POST Request JSON for accepting, declining or resetting a selector.
Download schema:
selector.json
Sample POST request:
{
"action": "ACCEPT",
"selectorId": 84220
}
RecommendationAction members
| Member | Type | Required | Description |
|---|---|---|---|
RecommendationAction: The POST Request JSON for accepting, declining or resetting a selector. |
|||
action |
Enumeration | ✓ | How you want to respond to the exception recommendation. Use ACCEPT to add the recommendation to your policy, rule, or attack group. Use DECLINE to reject the recommendation, or RESET to undo a previous DECLINE action. |
selectorId |
Number | ✓ | The unique identifier for the selector referenced in the recommendation. |
HostnameTarget
Contains details about a hostname coverage match target.
Download schema:
hostnameCoverageMatchTarget.json
Sample GET response:
{
"matchTargets": {
"apiTargets": [],
"websiteTargets": [
{
"configId": 75498,
"configVersion": 428,
"defaultFile": "NO_MATCH",
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"isTargetSecurityControlsEditable": false,
"logicalId": 1730010,
"sequence": 3,
"targetId": 2555705,
"type": "website",
"fileExtensions": [],
"filePaths": [
"/content/tealeaf"
],
"hostnames": [
"www.example.com",
"m.example.com",
"m.new.example.com",
"safety.example.com",
"static.example.net",
"failover3.example.com",
"static.example.com",
"images.example.com",
"failover5.example.com",
"espanol.example.com"
],
"effectiveSecurityControls": {
"applyApplicationLayerControls": true,
"applyBotmanControls": true,
"applyNetworkLayerControls": true,
"applyPageIntegrityControls": false,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": true
},
"firewallPolicy": {
"evaluated": false,
"policyId": "GRD_4186",
"policyName": "Main Street Corporation USA",
"policySecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyBotmanControls": true,
"applyNetworkLayerControls": true,
"applyPageIntegrityControls": false,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": true
}
},
"targetSecurityControls": {
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyPageIntegrityControls": false,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": true
},
"bypassNetworkLists": [
{
"id": "1410_BYPASSWAFLIST",
"name": "shawn - BypassWAFList"
}
]
}
]
}
}
HostnameTarget members
| Member | Type | Required | Description |
|---|---|---|---|
HostnameTarget: Contains details about a hostname coverage match target. |
|||
apis |
Hostname |
○ | The list of API endpoint identifiers and names. This applies only for api match targets. |
bypass |
Hostname |
○ | The network lists’ identifiers and names in the match target. |
defaultFile |
Enumeration | ○ | Describes the rule to match on paths. Either NO_MATCH not to match on the default file, BASE_MATCH to match only requests for top-level hostnames ending in a trailing slash, or RECURSIVE_MATCH to match all requests for paths that end in a trailing slash. The default value is NO_MATCH. |
effective |
Hostname |
○ | Read-only. The security controls to apply. For a security control to be effectively turned on, you must enable it in both the match target and the security policy. |
fileExtensions |
Array | ○ | The list of file extensions to apply the match target to. |
filePaths |
Array | ○ | The list of file paths to apply the match target to. |
hostnames |
Array | ○ | The list of hostnames to protect. |
is |
Boolean | ○ | Whether the match target applies when a match is found in the specified fileExtensions or when a match isn’t found. |
is |
Boolean | ○ | Whether the match target applies when a match is found in the specified filePaths or when a match isn’t found. |
securityPolicy |
Hostname |
✓ | The security policy associated with the match target. |
sequence |
Integer | ○ | The match target’s position in the sequence of match targets. |
targetId |
Integer | ○ | Uniquely identifies the match target. |
type |
Enumeration | ✓ | The type of match target. Either website or api. |
validations |
Hostname |
○ | Read-only. Contains details about warnings, errors, or notices determined by a validation of this resource. |
HostnameTarget.apis[]: The list of API endpoint identifiers and names. This applies only for api match targets. |
|||
id |
Integer | ✓ | Uniquely identifies the API endpoint. |
name |
String | ○ | The API endpoint name. |
HostnameTarget.bypassNetworkLists[]: The network lists’ identifiers and names in the match target. |
|||
id |
String | ✓ | Uniquely identifies the network list. |
name |
String | ○ | The name you assigned to the network list. |
HostnameTarget.effectiveSecurityControls: The security controls to apply. For a security control to be effectively turned on, you must enable it in both the match target and the security policy. |
|||
apply |
Boolean | ✓ | Whether you enabled API constraints. |
apply |
Boolean | ✓ | Whether you enabled application layer controls. |
apply |
Boolean | ✓ | Whether you enabled Bot Manager controls. |
apply |
Boolean | ✓ | Whether you enabled network layer controls. |
apply |
Boolean | ✓ | Whether you enabled rate controls. |
apply |
Boolean | ✓ | Whether you enabled reputation controls. |
apply |
Boolean | ✓ | Whether you enabled slow post controls. |
HostnameTarget.securityPolicy: The security policy associated with the match target. |
|||
policyId |
String | ✓ | Uniquely identifies the security policy. |
HostnameTarget.validations: Contains details about warnings, errors, or notices determined by a validation of this resource. |
|||
errors |
Hostname |
○ | Contains feedback on validation. |
notices |
Hostname |
○ | Contains feedback on validation. |
warnings |
Hostname |
○ | Contains feedback on validation. |
HostnameTarget.validations.errors[]: Contains feedback on validation. |
|||
detail |
String | ○ | The explanation of the error message. |
fieldName |
String | ○ | The name of the field causing the validation problem. |
jsonReference |
String | ○ | The JSON reference to the field in the resource. |
title |
String | ✓ | The title for the error. |
type |
String | ✓ | The URL for the error type. |
HostnameTarget.validations.notices[]: Contains feedback on validation. |
|||
detail |
String | ○ | The explanation of the error message. |
fieldName |
String | ○ | The name of the field causing the validation problem. |
jsonReference |
String | ○ | The JSON reference to the field in the resource. |
title |
String | ✓ | The title for the error. |
type |
String | ✓ | The URL for the error type. |
HostnameTarget.validations.warnings[]: Contains feedback on validation. |
|||
detail |
String | ○ | The explanation of the error message. |
fieldName |
String | ○ | The name of the field causing the validation problem. |
jsonReference |
String | ○ | The JSON reference to the field in the resource. |
title |
String | ✓ | The title for the error. |
type |
String | ✓ | The URL for the error type. |
Exception
Describes the conditions and exceptions you can configure in attack groups or rules. When advanced is enabled, you can only specify attack group exception data in one basic or advancedExceptions section, and not both.
Download schema:
securityPolicySetConditionExceptionRequest.json
Sample PUT request:
{
"exception": {
"headerCookieOrParamValues": [
"test"
],
"specificHeaderCookieOrParamNameValue": {
"name": "test",
"selector": "REQUEST_HEADERS",
"value": "test"
},
"specificHeaderCookieOrParamPrefix": {
"prefix": "test",
"selector": "REQUEST_HEADERS"
},
"specificHeaderCookieOrParamNames": [
{
"selector": "REQUEST_HEADERS",
"names": [
"test"
]
},
{
"selector": "REQUEST_COOKIES",
"names": [
"test"
]
},
{
"selector": "ARGS",
"names": [
"test"
]
},
{
"selector": "JSON_PAIRS",
"names": [
"test"
]
},
{
"selector": "XML_PAIRS",
"names": [
"test"
]
}
]
},
"conditions": [
{
"type": "extensionMatch",
"positiveMatch": true,
"extensions": [
"test"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"filenames": [
"test2"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"hosts": [
"www.test.com"
]
},
{
"type": "ipMatch",
"positiveMatch": true,
"useHeaders": true,
"ips": [
"192.0.2.34"
]
},
{
"type": "uriQueryMatch",
"caseSensitive": true,
"name": "test3",
"nameCase": false,
"positiveMatch": true,
"value": "test4",
"wildcard": true
},
{
"type": "requestHeaderMatch",
"header": "referer",
"positiveMatch": true,
"value": "test5",
"valueCase": false,
"valueWildcard": false
},
{
"type": "requestMethodMatch",
"positiveMatch": true,
"methods": [
"GET"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"paths": [
"/test6"
]
}
]
}
Exception members
| Member | Type | Required | Description |
|---|---|---|---|
Exception: Describes the conditions and exceptions you can configure in attack groups or rules. When advanced is enabled, you can only specify attack group exception data in one basic or advancedExceptions section, and not both. |
|||
advanced |
Exception. |
○ | Describes the advanced exception members that allow you to conditionally exclude requests from inspection. This is only available for attack groups and when the advanced exception feature is enabled. |
conditions |
Exception. |
○ | Describes what conditions can be set for an action to occur. |
exception |
Exception. |
○ | Describes the exception members that allow you to conditionally exclude requests from inspection. |
Exception.advancedExceptions: Describes the advanced exception members that allow you to conditionally exclude requests from inspection. This is only available for attack groups and when the advanced exception feature is enabled. |
|||
condition |
Enumeration | ○ | Use OR to match any condition, or AND to match on all conditions. |
conditions |
Exception. |
○ | Describes what conditions can be set for an action to occur. |
header |
Exception. |
○ | The list of excepted values in headers, cookies, or query parameters. |
specific |
Exception. |
○ | Contains details about the excepted name-value pairs in a request. |
specific |
Exception. |
○ | Describes the advanced exception members that allow you to conditionally exclude requests from inspection. This is only available for attack groups and when the advanced exception feature is enabled. |
Exception.advancedExceptions.conditions[]: Describes what conditions can be set for an action to occur. |
|||
caseSensitive |
Boolean | ○ | Whether to consider the case-sensitivity of the provided query parameter value. This only applies to the uriQueryMatch condition type. |
extensions |
Array | ○ | The file extensions that trigger the condition. This only applies to the extensionMatch condition type. |
filenames |
Array | ○ | The filenames that trigger the condition. This only applies to the filenameMatch condition type. |
header |
String | ○ | The HTTP header that triggers the condition. This only applies to the requestHeaderMatch condition type. |
hosts |
Array | ○ | The hostnames that trigger the condition. This only applies to the hostMatch condition type. |
ips |
Array | ○ | The IPs that trigger the condition. This only applies to the ipMatch condition type. |
methods |
Array | ○ | The HTTP request methods that trigger the condition. The possible values are GET, POST, HEAD, PUT, DELETE, OPTIONS, TRACE, CONNECT and PATCH. This only applies to the requestMethodMatch condition type. |
name |
String | ○ | The query parameter name that triggers the condition. This only applies to the uriQueryMatch condition type. |
nameCase |
Boolean | ○ | Whether to consider the case-sensitivity of the provided query parameter name. This only applies to the uriQueryMatch condition type. |
paths |
Array | ○ | The paths that trigger the condition. This only applies to the pathMatch condition type. |
positiveMatch |
Boolean | ✓ | Whether the condition should trigger on a match (true) or a lack of match (false). |
type |
Enumeration | ✓ | The condition type to match on. See Export condition type values. |
useHeaders |
Boolean | ○ | Whether the condition should include X-Forwarded-For (XFF) header. This only applies to the ipMatch condition type. |
value |
String | ○ | The query parameter value if the condition type is uriQueryMatch and header value if the condition type is requestHeaderMatch. This only applies when the condition type is uriQueryMatch or requestHeaderMatch. |
valueCase |
Boolean | ○ | Whether to consider the case-sensitivity of the provided header value. This only applies to the requestHeaderMatch condition type. |
valueWildcard |
Boolean | ○ | Whether the provided header value is a wildcard. This only applies to the requestHeaderMatch condition type. |
wildcard |
Boolean | ○ | Whether the provided query parameter value is a wildcard. This only applies to the uriQueryMatch condition type. |
Exception.advancedExceptions.headerCookieOrParamValues[]: The list of excepted values in headers, cookies, or query parameters. |
|||
criteria |
Exception. |
○ | The host name and path criteria to limit the scope of exception. |
values |
Array | ✓ | The list of request attribute names. |
Exception.advancedExceptions.headerCookieOrParamValues[].criteria[]: The host name and path criteria to limit the scope of exception. |
|||
hostnames |
Array | ✓ | The list of excepted host names. |
names |
Array | ○ | The list of excepted names. |
paths |
Array | ✓ | The list of excepted paths. |
values |
Array | ○ | The list of excepted values. |
Exception.advancedExceptions.specificHeaderCookieOrParamNameValue[]: Contains details about the excepted name-value pairs in a request. |
|||
criteria |
Exception. |
○ | The host name and path criteria to limit the scope of exception. |
namesValues |
Exception. |
✓ | A list of name-value pairs to except. |
selector |
Enumeration | ✓ | The request attribute to exclude from inspection. See Exception selector values. |
wildcard |
Boolean | ○ | Whether the provided header name is a wildcard. |
Exception.advancedExceptions.specificHeaderCookieOrParamNameValue[].criteria[]: The host name and path criteria to limit the scope of exception. |
|||
hostnames |
Array | ✓ | The list of excepted host names. |
names |
Array | ○ | The list of excepted names. |
paths |
Array | ✓ | The list of excepted paths. |
values |
Array | ○ | The list of excepted values. |
Exception.advancedExceptions.specificHeaderCookieOrParamNameValue[].namesValues[]: A list of name-value pairs to except. |
|||
names |
Array | ✓ | The list of request attribute names. |
values |
Array | ○ | The list of request attribute values. |
Exception.advancedExceptions.specificHeaderCookieParamXmlOrJsonNames[]: Describes the advanced exception members that allow you to conditionally exclude requests from inspection. This is only available for attack groups and when the advanced exception feature is enabled. |
|||
criteria |
Exception. |
○ | The host name and path criteria to limit the scope of exception. |
names |
Array | ○ | The list of request attribute names. |
selector |
Enumeration | ✓ | The request attribute to exclude from inspection. See Exception selector values. |
wildcard |
Boolean | ○ | Whether the provided header name is a wildcard. |
Exception.advancedExceptions.specificHeaderCookieParamXmlOrJsonNames[].criteria[]: The host name and path criteria to limit the scope of exception. |
|||
hostnames |
Array | ✓ | The list of excepted host names. |
names |
Array | ○ | The list of excepted names. |
paths |
Array | ✓ | The list of excepted paths. |
values |
Array | ○ | The list of excepted values. |
Exception.conditions[]: Describes what conditions can be set for an action to occur. |
|||
caseSensitive |
Boolean | ○ | Whether to consider the case-sensitivity of the provided query parameter value. This only applies to the uriQueryMatch condition type. |
extensions |
Array | ○ | The file extensions that trigger the condition. This only applies to the extensionMatch condition type. |
filenames |
Array | ○ | The filenames that trigger the condition. This only applies to the filenameMatch condition type. |
header |
String | ○ | The HTTP header that triggers the condition. This only applies to the requestHeaderMatch condition type. |
hosts |
Array | ○ | The hostnames that trigger the condition. This only applies to the hostMatch condition type. |
ips |
Array | ○ | The IPs that trigger the condition. This only applies to the ipMatch condition type. |
methods |
Array | ○ | The HTTP request methods that trigger the condition. The possible values are GET, POST, HEAD, PUT, DELETE, OPTIONS, TRACE, CONNECT and PATCH. This only applies to the requestMethodMatch condition type. |
name |
String | ○ | The query parameter name that triggers the condition. This only applies to the uriQueryMatch condition type. |
nameCase |
Boolean | ○ | Whether to consider the case-sensitivity of the provided query parameter name. This only applies to the uriQueryMatch condition type. |
paths |
Array | ○ | The paths that trigger the condition. This only applies to the pathMatch condition type. |
positiveMatch |
Boolean | ✓ | Whether the condition should trigger on a match (true) or a lack of match (false). |
type |
Enumeration | ✓ | The condition type to match on. See Export condition type values. |
useHeaders |
Boolean | ○ | Whether the condition should include X-Forwarded-For (XFF) header. This only applies to the ipMatch condition type. |
value |
String | ○ | The query parameter value if the condition type is uriQueryMatch and header value if the condition type is requestHeaderMatch. This only applies when the condition type is uriQueryMatch or requestHeaderMatch. |
valueCase |
Boolean | ○ | Whether to consider the case-sensitivity of the provided header value. This only applies to the requestHeaderMatch condition type. |
valueWildcard |
Boolean | ○ | Whether the provided header value is a wildcard. This only applies to the requestHeaderMatch condition type. |
wildcard |
Boolean | ○ | Whether the provided query parameter value is a wildcard. This only applies to the uriQueryMatch condition type. |
Exception.exception: Describes the exception members that allow you to conditionally exclude requests from inspection. |
|||
any |
Array | ○ | The list of request attributes to treat as rule or attack group exceptions. The possible values are REQUEST_COOKIES, JSON_PAIRS for a JSON parameter, XML_PAIRS for an XML parameter, ARGS for a request parameter, and REQUEST_HEADERS for a request header. Use this option if you can’t get an exhaustive list of elements to exclude or the list is too large. You can exclude several attributes. |
header |
Array | ○ | The list of excepted values in headers, cookies, or query parameters. |
specific |
Exception. |
○ | Contains details about the excepted request attribute name. |
specific |
Exception. |
○ | Contains details about the excepted name-value pair in a request. |
specific |
Exception. |
○ | Contains details about the excepted request attribute name prefix. |
specific |
Exception. |
○ | Contains details about the excepted request attribute names. This is only available for attack groups and when advanced exception is not enabled. |
Exception.exception.specificHeaderCookieOrParamNames: Contains details about the excepted request attribute name. |
|||
names |
Array | ✓ | The list of request attribute names. |
selector |
Enumeration | ✓ | The request attribute that includes the excepted name. Either REQUEST_COOKIES, JSON_PAIRS for a JSON parameter, XML_PAIRS for an XML parameter, ARGS for a request parameter, or REQUEST_HEADERS for a request header. |
Exception.exception.specificHeaderCookieOrParamNameValue: Contains details about the excepted name-value pair in a request. |
|||
name |
String | ✓ | The name of the request attribute. |
selector |
Enumeration | ✓ | The request attribute that includes the excepted name-value pair. Either REQUEST_COOKIES, JSON_PAIRS for a JSON parameter, XML_PAIRS for an XML parameter, ARGS for a request parameter, or REQUEST_HEADERS for a request header. |
value |
String | ✓ | The value of the request attribute. |
Exception.exception.specificHeaderCookieOrParamPrefix: Contains details about the excepted request attribute name prefix. |
|||
prefix |
String | ✓ | The request attribute name prefix. |
selector |
Enumeration | ✓ | The request attribute that includes the excepted name prefix. Either REQUEST_COOKIES, JSON_PAIRS for a JSON parameter, XML_PAIRS for an XML parameter, ARGS for a request parameter, or REQUEST_HEADERS for a request header. |
Exception.exception.specificHeaderCookieParamXmlOrJsonNames[]: Contains details about the excepted request attribute names. This is only available for attack groups and when advanced exception is not enabled. |
|||
names |
Array | ○ | The list of request attribute names. |
selector |
Enumeration | ✓ | The request attribute to exclude from inspection. See Exception selector values. |
wildcard |
Boolean | ○ | Whether the provided header name is a wildcard. |
Exception selector values
Selectors are segments of a request that Web Application Protector rules look in for attacks, which means no rule applies to an entire request all at once but by selector segment. You can use these selectors to add exceptions to your security policy rules. You can add exceptions to your rules if you know that the rules are throwing false positives, or you want to omit parts of a request from inspection.
For example:
Host: www.fakehostexample.com
Accept: application/json
Cookies: foo=examplecookie
{"first":1, "second":2, "third":3}
| type value… | Matches on… |
|---|---|
ARGS |
A generic alias for the query string existing in both the body or the URL. Use this selector to match either the body or the URL. |
ARGS_NAMES |
Argument names. In the example, session and fakeName. |
FILES_NAMES |
Name of MIME-encoded filename within a mime-encoded body to exclude from inspection. |
JSON_NAMES |
The name of the JSON member. In the example, first, second, and third. |
JSON_PAIRS |
Name/value pairs in JSON the body. On its own, bypass network does all of them, JSON_PAIRS:"name of json key" excludes that specific JSON name/value pair from inspection. In the example, "first":1, "second":2, and "third":3. |
QUERY_STRING |
In the example, 1?session=3&name=fakeName. |
REQBODY_PROCESSOR_ERROR |
Whether an error occurred processing the request. Errors often indicate suspicious activity. It’s a good idea to inspect this element, and not exclude it from inspection. |
REQUEST_COOKIES |
The request cookie name-value pair. In the example,foo=examplecookie. |
REQUEST_COOKIES_NAMES |
The request cookie name value. In the example, foo. |
foo=examplecookie. |
|
REQUEST_BODY |
The entire body of the request. In the example, {"first":1, "second":2, "third":3} |
REQUEST_FILENAME |
The file name to exclude from inspection. In the example, my-file-name.mp3. |
REQUEST_HEADERS |
The name and value of the request header. In the example, Host:www.fakehostexample.com and Accept:application/json. |
REQUEST_HEADERS_NAMES |
The name of the request header to exclude from inspection. In the example, Host and Accept. |
REQUEST_METHOD |
The request method to exclude from inspection. In the example, GET. |
REQUEST_PROTOCOL |
The request protocol to exclude from inspection. In the example, http. |
REQUEST_PATH_SEGMENT |
The part of the path you specify. For example, /one/two/three/. Use *to include the whole path. |
REQUEST_URI |
The full URL segment without the request method. In the example, /one/two/three/four/my-file-name.mp3?session=3&name=fakeName. |
XML_PAIRS |
Name/value pairs in XML body. |
MatchTarget
Contains information about a match target.
Download schema:
matchTarget.json
Sample GET response:
{
"targetId": 112231,
"configId": 77653,
"configVersion": 25,
"type": "website",
"sequence": 1,
"isNegativePathMatch": false,
"isNegativeFileExtensionMatch": true,
"defaultFile": "NO_MATCH",
"hostnames": [
"example.com",
"www.example.net",
"m.example.com"
],
"filePaths": [
"/sssi/*",
"/cache/aaabbc*",
"/price_toy/*"
],
"fileExtensions": [
"wmls",
"jpeg",
"pws",
"carb",
"pdf",
"js",
"hdml",
"cct",
"swf",
"pct"
],
"securityPolicy": {
"policyId": "fwsf_32432"
},
"effectiveSecurityControls": {
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"bypassNetworkLists": [
{
"name": "Test network list 1",
"id": "888518_ACDDCKERS"
},
{
"name": "Test network list 2",
"id": "1304427_AAXXBBLIST"
}
]
}
MatchTarget members
| Member | Type | Required | Description |
|---|---|---|---|
MatchTarget: Contains information about a match target. |
|||
apis |
Match |
○ | Contains a list of objects containing an API endpoint ID and name. This field applies only to API match targets. |
bypass |
Match |
○ | The list of network list identifiers and names. |
configId |
Integer | ○ | Uniquely identifies the security configuration. |
configVersion |
Integer | ○ | The version of security configuration. |
defaultFile |
Enumeration | ○ | Describes the rule to match on paths. Either NO_MATCH to not match on the default file, BASE_MATCH to match only requests for top-level hostnames ending in a trailing slash, or RECURSIVE_MATCH to match all requests for paths that end in a trailing slash. |
effective |
Security |
○ | Read-only. Defines the security controls to apply. For a security control to be effectively turned on, it has to be enabled in both the match target and the security policy. |
fileExtensions |
Array | ○ | The file extensions used in the path match. |
filePaths |
Array | ○ | The path used in the path match. |
hostnames |
Array | ○ | The hostnames to match the request on. |
is |
Boolean | ○ | Describes whether the match target applies when a match is found in the specified fileExtensions or when a match isn’t found. |
is |
Boolean | ○ | Describes whether the match target applies when a match is found in the specified paths or when a match isn’t found. |
securityPolicy |
Match |
✓ | The security policy associated with the match target. |
sequence |
Integer | ○ | The position in the sequence of match targets. |
targetId |
Integer | ○ | Uniquely identifies the match target. |
type |
Enumeration | ✓ | Describes the type of match target, either website or api. |
validations |
Match |
○ | Read-only. Describes warnings, errors, or notices determined by a validation of this resource. |
MatchTarget.apis[]: Contains a list of objects containing an API endpoint ID and name. This field applies only to API match targets. |
|||
id |
Integer | ✓ | Uniquely identifies the API endpoint. |
name |
String | ○ | The API endpoint name. |
MatchTarget.bypassNetworkLists[]: The list of network list identifiers and names. |
|||
id |
String | ✓ | Uniquely identifies the network list. |
name |
String | ○ | The name of the network list. |
MatchTarget.securityPolicy: The security policy associated with the match target. |
|||
policyId |
String | ✓ | Uniquely identifies the security policy. |
MatchTarget.validations: Describes warnings, errors, or notices determined by a validation of this resource. |
|||
errors |
Validation array | ✓ | The list of errors. |
notices |
Validation array | ✓ | The list of notices. |
warnings |
Validation array | ✓ | The list of warnings. |
CustomDeny
Contains details about a custom deny action.
Download schema:
customDeny.json
Sample POST request:
{
"description": "test description",
"name": "new custom deny",
"parameters": [
{
"displayName": "Prevent browser caching",
"name": "prevent_browser_cache",
"value": "true"
},
{
"displayName": "Response body content",
"name": "response_body_content",
"value": "json desc"
},
{
"displayName": "Response content type",
"name": "response_content_type",
"value": "application/xml"
},
{
"displayName": "Response status code",
"name": "response_status_code",
"value": "403"
}
]
}
CustomDeny members
| Member | Type | Required | Description |
|---|---|---|---|
CustomDeny: Contains details about a custom deny action. |
|||
description |
String | ○ | Describes the custom deny action. |
id |
String | ○ | Read-only. Uniquely identifies the custom deny action. |
name |
String | ✓ | The name you assigned to the custom deny action. |
parameters |
Custom |
✓ | Contains a list of parameters for the custom deny action. These parameters are not the same type of parameters you usually include in the path of a request. |
CustomDeny.parameters[]: Contains a list of parameters for the custom deny action. These parameters are not the same type of parameters you usually include in the path of a request. |
|||
displayName |
String | ○ | The description of the custom deny parameter. |
name |
Enumeration | ✓ | The custom deny parameter you choose instead of the Akamai default response. For available values, see Deny name values. |
value |
String | ✓ | The value you assign to the custom deny parameter. For available values, see Deny name values. |
Deny name values
These parameters help refine the custom deny action. You’ll create a custom deny response to use instead of Akamai’s default 403 response.
| Parameter name | Parameter value type | Description |
|---|---|---|
custom_deny_hostname |
Hostname | Failover hostname for the failover site. |
custom_deny_path |
URL path | Locates your custom response page currently serving on the Akamai platform. |
include_reference_id |
String | A unique ID Akamai assigns to every request for tracking purposes. |
include_true_ip |
Boolean | The original connecting client IP address, not one from a X-Forwarded-For header. |
prevent_browser_cache |
Boolean | Choose this option to ensure nothing from the requesting browser is cached. |
response_body_content |
String | The body of your application/json or application/xml response. |
response_content_type |
MIME type | Whether your response body is application/json or application/xml. |
response_header_name |
String | The name of the custom response header you want to use to override Akamai’s standard response header. |
response_header_value |
String | The custom response header. For example, server: Apache. |
response_status_code |
String | The numerical response of the status code for your custom deny. The default response status code is 403. You can enter any numerical value between 100 and 999. |
FailOverHostname
Contains a list of selected hostnames for the specified configuration version.
Download schema:
hostnameList.json
Sample GET response:
{
"mode": "append",
"hostnameList": [
{
"hostname": "*.example.net"
},
{
"hostname": "example.com"
},
{
"hostname": "m.example.com"
}
]
}
FailOverHostname members
| Member | Type | Required | Description |
|---|---|---|---|
FailOverHostname: Contains a list of selected hostnames for the specified configuration version. |
|||
hostnameList |
Fail |
✓ | The list of hostnames for a configuration version. |
mode |
Enumeration | ○ | The type of update you want to make to the evaluation hostname list. Use append to add additional hostnames, remove to delete the hostnames from the list, or replace to replace the existing list with the hostnames you pass in your request. |
FailOverHostname.hostnameList[]: The list of hostnames for a configuration version. |
|||
hostname |
String | ✓ | The hostname on which to match the request. |
IPGeoFirewall
Describes the mode of the IP Geo Firewall and the allowed and blocked IP lists.
Download schema:
ipGeoFirewallSetRequest.json
Sample PUT response:
{
"block": "blockSpecificIPGeo",
"geoControls": {
"blockedIPNetworkLists": {
"networkList": [
"72138_TEST1"
]
}
},
"ipControls": {
"allowedIPNetworkLists": {
"networkList": [
"56921_TEST"
]
},
"blockedIPNetworkLists": {
"networkList": [
"53712_TESTLIST123"
]
}
}
}
IPGeoFirewall members
| Member | Type | Required | Description |
|---|---|---|---|
IPGeoFirewall: Describes the mode of the IP Geo Firewall and the allowed and blocked IP lists. |
|||
block |
Enumeration | ✓ | The method by which you block or allow requests by IP or geographic location. In Control Center, this is called mode. Use blockSpecificIPGeo to block any IPs, subnets, geographies, or network lists you specify. Use blockAllTrafficExceptAllowedIPs to allow requests from IPs, subnets, geographies or networks lists in your blockExceptions maintained in Network Lists API. |
geoControls |
IPGeo |
○ | The network lists you block geographically. |
ipControls |
IPGeo |
○ | The network lists you block or allow by IP. |
IPGeoFirewall.geoControls: The network lists you block geographically. |
|||
blocked |
IPGeo |
○ | The list of networks. To edit the network lists, use the Network Lists API |
IPGeoFirewall.geoControls.blockedIPNetworkLists: The list of networks. To edit the network lists, use the Network Lists API |
|||
networkList |
Array | ○ | The specific network list you specify to block or allow, depending on the method you choose. |
IPGeoFirewall.ipControls: The network lists you block or allow by IP. |
|||
allowed |
IPGeo |
○ | The list of networks. To edit the network lists, use the Network Lists API |
blocked |
IPGeo |
○ | The list of networks. To edit the network lists, use the Network Lists API |
IPGeoFirewall.ipControls.allowedIPNetworkLists: The list of networks. To edit the network lists, use the Network Lists API |
|||
networkList |
Array | ○ | The specific network list you specify to block or allow, depending on the method you choose. |
IPGeoFirewall.ipControls.blockedIPNetworkLists: The list of networks. To edit the network lists, use the Network Lists API |
|||
networkList |
Array | ○ | The specific network list you specify to block or allow, depending on the method you choose. |
BypassNetworkList
Contains bypass network lists for the specified configuration version.
Download schema:
bypassNetworklists-put.json
Sample PUT response:
{
"networkLists": [
"1304427_AAXXBBLIST",
"888518_ACDDCKERS"
]
}
BypassNetworkList members
| Member | Type | Required | Description |
|---|---|---|---|
BypassNetworkList: Contains bypass network lists for the specified configuration version. |
|||
networkLists |
Array | ✓ | List of networkLists. The values are the networkLists’ IDs. |
Validation
Contains feedback on validation.
Download schema:
validation-dto.json
Validation members
| Member | Type | Required | Description |
|---|---|---|---|
Validation: Contains feedback on validation. |
|||
detail |
String | ○ | The explanation of the error message. |
fieldName |
String | ○ | The name of the field causing the validation problem. |
jsonReference |
String | ○ | The JSON reference to the field in the resource. |
title |
String | ✓ | The title for the error. |
type |
String | ✓ | The URL for the error type. |
MatchTargetOrder
Contains match target settings and a list of objects containing match targets with their assigned sequence number.
Download schema:
matchTargetsSequence.json
Sample PUT request:
{
"type": "website",
"targetSequence": [
{
"targetId": 1217289,
"sequence": 1
},
{
"targetId": 1217339,
"sequence": 2
}
]
}
MatchTargetOrder members
| Member | Type | Required | Description |
|---|---|---|---|
MatchTargetOrder: Contains match target settings and a list of objects containing match targets with their assigned sequence number. |
|||
targetSequence |
Match |
✓ | Contains the ID and sequence of a match target. |
type |
Enumeration | ✓ | Describes the type of match target, either WEBSITE or API. |
MatchTargetOrder.targetSequence[]: Contains the ID and sequence of a match target. |
|||
sequence |
Integer | ✓ | The position in the sequence of match targets. |
targetId |
Integer | ✓ | Uniquely identifies the match target. |
RatePolicy
Contains details about a rate policy.
Download schema:
ratePolicy.json
Sample GET request:
{
"ratePolicies": [
{
"id": 484616,
"matchType": "path",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": false,
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"createDate": "2016-07-22 18:57:08.0",
"updateDate": "2017-02-22 00:05:41.0",
"used": false,
"hostnames": [
"www.myexamplehostname.org"
],
"path": {
"positiveMatch": true,
"values": [
"/login/",
"/path/"
]
},
"fileExtensions": {
"positiveMatch": false,
"values": [
"3g2",
"3gp",
"aif",
"aiff",
"au",
"avi",
"bin",
"bmp",
"cab"
]
},
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "IpAddressCondition",
"values": [
"203.0.113.0"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
]
},
{
"id": 484617,
"matchType": "api",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv": false,
"createDate": "2016-07-22 18:57:08.0",
"updateDate": "2017-02-22 00:05:41.0",
"used": false,
"hostnames": [
"www.soasta.com"
],
"fileExtensions": {
"positiveMatch": false,
"values": [
"avi",
"bmp",
"jpg"
]
},
"apiSelectors": [
{
"apiDefinitionId": 602,
"undefinedResources": false,
"definedResources": false,
"resourceIds": [
748
]
}
],
"additionalMatchOptions": [
{
"positiveMatch": false,
"type": "NetworkListCondition",
"values": [
"18198_DSWINTERNALTESTIPADDRES",
"7054_FEOSERVERS"
]
},
{
"positiveMatch": false,
"type": "UserAgentCondition",
"values": [
"soasta",
"MovableInk"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
],
"bodyParameters": [
{
"name": "Country",
"positiveMatch": true,
"valueInRange": false,
"values": [
"USA",
"Canada"
]
}
]
}
]
}
Sample PUT request:
{
"id": 2234,
"matchType": "path",
"type": "WAF",
"name": "Test_Paths 2",
"description": "AFW Test Extensions",
"averageThreshold": 5,
"burstThreshold": 10,
"clientIdentifier": "ip",
"useXForwardForHeaders": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": false,
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"hostnames": [
"www.myexamplehostname.org"
],
"path": {
"positiveMatch": true,
"values": [
"/login/",
"/path/"
]
},
"fileExtensions": {
"positiveMatch": false,
"values": [
"3g2",
"3gp",
"aif",
"aiff",
"au",
"avi",
"bin",
"bmp",
"cab"
]
},
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "IpAddressCondition",
"values": [
"203.0.113.0"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET"
]
}
],
"queryParameters": [
{
"name": "productId",
"positiveMatch": true,
"valueInRange": false,
"values": [
"BUB_12",
"SUSH_11"
]
}
]
}
RatePolicy members
| Member | Type | Required | Description |
|---|---|---|---|
RatePolicy: Contains details about a rate policy. |
|||
additional |
Rate |
○ | The list of additional match conditions. |
apiSelectors |
Rate |
○ | The API endpoints to match in incoming requests. This only applies to the api matchType. |
averageThreshold |
Integer | ✓ | The allowed hits per second during any two-minute interval. |
bodyParameters |
Rate |
○ | The list of body parameters to match on. |
burstThreshold |
Integer | ✓ | The allowed hits per second during any five-second interval. |
clientIdentifier |
Enumeration | ✓ | The client identifier you want to use to identify and track request senders. The value is required only for WAF type, and api-key is supported only for API match criteria. Using ip-useragent is typically more specific than using ip alone when trying to identify a client. Tracking by cookie:value applies to requests per individual session, even if the IP address changes. |
createDate |
String | ○ | Read-only. The time stamp when you created the rate policy. |
description |
String | ○ | Descriptive text you provide about a policy. |
fileExtensions |
Rate |
○ | Contains the file extension match criteria. |
hostnames |
Array | ○ | The hostnames to match. |
id |
Integer | ○ | Read-only. Uniquely identifies each rate policy. |
matchType |
Enumeration | ✓ | The match type in a rate policy. Either path to match website paths or api to match API paths. |
name |
String | ✓ | The name you assign to a rate policy. |
path |
Rate |
○ | Contains details about the path match criteria. |
pathMatchType |
Enumeration | ✓ | The type of paths to match in incoming requests. Either AllRequests to match an empty path or any path that ends in a trailing slash (/), TopLevel to match top-level hostnames only, or Custom to match a specific path or path component. This applies only when the corresponding matchType member is path. |
path |
Boolean | ○ | Whether the condition should trigger on a match (true) or a lack of match (false). |
queryParameters |
Rate |
○ | The list of query parameter objects to match on. |
requestType |
Enumeration | ✓ | The type of requests to count towards the rate policy’s thresholds. Either ClientRequest to count client requests to edge servers, ClientResponse to count edge responses to the client, ForwardResponse to count origin responses to the client, or ForwardRequest to count edge requests to your origin. |
sameActionOnIpv6 |
Boolean | ✓ | Whether to apply the same action to the IPv6 traffic as to the IPv4 traffic. |
type |
Enumeration | ✓ | The rate policy type. Either WAF for Web Application Firewall, or BOTMAN for Bot Manager. |
updateDate |
String | ○ | Read-only. The ISO 8601 timestamp when you last updated the rate policy. |
used |
Boolean | ○ | Read-only. Whether you’re currently using the rate policy. |
use |
Boolean | ○ | Whether to check the contents of the X-Forwarded-For header in incoming requests. |
RatePolicy.additionalMatchOptions[]: The list of additional match conditions. |
|||
positiveMatch |
Boolean | ✓ | Whether the condition should trigger on a match (true) or a lack of match (false). |
type |
Enumeration | ✓ | The match condition type. See Export match condition type values. |
values |
Array | ✓ | The list of values that trigger the condition on match. |
RatePolicy.apiSelectors[]: The API endpoints to match in incoming requests. This only applies to the api matchType. |
|||
apiDefinitionId |
Integer | ✓ | Uniquely identifies each API endpoint. |
definedResources |
Boolean | ○ | When true, match on any resource explicitly added to your API definition without including a resourceId. When false, you’ll need to pass a resourceId. |
resourceIds |
Array | ○ | The unique identifiers of the endpoint’s resources. |
undefined |
Boolean | ○ | When true, match on any resource you have not explicitly added to your API definition without including a resourceId. When false, you’ll need to pass a resourceId. |
RatePolicy.bodyParameters[]: The list of body parameters to match on. |
|||
name |
String | ✓ | The name you assign to a body parameter. |
positiveMatch |
Boolean | ✓ | Whether the condition should trigger on a match (true) or a lack of match (false). |
valueInRange |
Boolean | ○ | Whether to match a value inside or outside a range. The range format is min:max, for example: 2:4. |
values |
Array | ✓ | The body parameter values. |
RatePolicy.fileExtensions: Contains the file extension match criteria. |
|||
positiveMatch |
Boolean | ✓ | Whether the condition should trigger on a match (true) or a lack of match (false). |
values |
Array | ✓ | The file extensions to match on. |
RatePolicy.path: Contains details about the path match criteria. |
|||
positiveMatch |
Boolean | ✓ | Whether the condition should trigger on a match (true) or a lack of match (false). |
values |
Array | ✓ | The list of paths to match on. |
RatePolicy.queryParameters[]: The list of query parameter objects to match on. |
|||
name |
String | ✓ | The query parameter name. |
positiveMatch |
Boolean | ✓ | Whether the condition should trigger on a match (true) or a lack of match (false). |
valueInRange |
Boolean | ○ | Whether to match a value inside or outside a range. The range format is min:max, for example: 2:4. |
values |
Array | ✓ | The list of query parameter values. |
RatePolicyAction
Contains details about rate policy actions.
Download schema:
ratePolicyActions.json
Sample PUT request:
{
"ratePolicies": [
{
"id": 102718,
"ipv4Action": "alert",
"ipv6Action": "none"
},
{
"id": 102719,
"ipv4Action": "deny",
"ipv6Action": "deny"
},
{
"id": 102720,
"ipv4Action": "alert",
"ipv6Action": "deny"
}
]
}
RatePolicyAction members
| Member | Type | Required | Description |
|---|---|---|---|
RatePolicyAction: Contains details about rate policy actions. |
|||
ratePolicies |
Rate |
✓ | Contains settings for rate policy actions. |
RatePolicyAction.ratePolicies[]: Contains settings for rate policy actions. |
|||
id |
String | ✓ | Read-only. Uniquely identifies each rate policy. |
ipv4Action |
Enumeration | ✓ | The IPv4 action to assign to this rate policy, either alert, deny, or none. Use deny_custom_{custom_deny_id} to apply a custom action instead of Akamai’s default. Run Modify a custom deny action to manage your custom deny actions. If the action is none, the rate policy is inactive in the policy. |
ipv6Action |
Enumeration | ✓ | The IPv6 action to assign to this rate policy, either alert, deny, or none. Use deny_custom_{custom_deny_id} to apply a custom action instead of Akamai’s default. Run Modify a custom deny action to manage your custom deny actions. If the action is none, the rate policy is inactive in the policy. |
SlowPostProtection
Contains threshold and action settings for slow POST protection.
Download schema:
slowPostProtectionDto.json
Sample GET request:
{
"action": "alert",
"slowRateThreshold": {
"rate": 10,
"period": 50
},
"durationThreshold": {
"timeout": 5
}
}
SlowPostProtection members
| Member | Type | Required | Description |
|---|---|---|---|
SlowPostProtection: Contains threshold and action settings for slow POST protection. |
|||
action |
Enumeration | ✓ | Specifies the action that the rule should trigger. Either alert or abort. |
duration |
Slow |
○ | If the edge server doesn’t receive the first eight kilobytes of the POST body transfer within the specified time, the specified action in the policy is applied. |
slow |
Slow |
○ | The average rate in bytes per second over a period of time that you specify before an action (alert or abort) in the policy triggers. For example, if you set the slowRateThreshold to an average of 10 bytes per second in a 60 second period and a request comes in at an average of 5 bytes per second in a 60 second period, the action you specified in the policy triggers. |
SlowPostProtection.durationThreshold: If the edge server doesn’t receive the first eight kilobytes of the POST body transfer within the specified time, the specified action in the policy is applied. |
|||
timeout |
Integer | ✓ | Number of seconds from the time a request starts to the value specified in the timeout. If the timeout value is reached, the action specified in the policy applies. For example, if the timeout is 30 seconds and a request reaches 30 seconds without completing, the action in the policy triggers. |
SlowPostProtection.slowRateThreshold: The average rate in bytes per second over a period of time that you specify before an action (alert or abort) in the policy triggers. For example, if you set the slowRateThreshold to an average of 10 bytes per second in a 60 second period and a request comes in at an average of 5 bytes per second in a 60 second period, the action you specified in the policy triggers. |
|||
period |
Integer | ✓ | The slow rate period value. The amount of time in seconds of how long the server should accept a request to determine whether a POST request is too slow. |
rate |
Integer | ✓ | The rate threshold value. How many bytes per second is considered a slow request. For example, 10 bytes or less per second. |
CustomRule
Contains settings for a custom rule.
Download schema:
customRule-schema.json, customRules-schema.json
Sample GET response:
{
"id": 661699,
"name": "Fat Rule",
"description": "Can I create all conditions?",
"version": 1,
"ruleActivated": false,
"tag": [
"test"
],
"conditions": [
{
"type": "requestMethodMatch",
"positiveMatch": true,
"value": [
"GET",
"CONNECT",
"TRACE",
"PUT",
"POST",
"OPTIONS",
"DELETE",
"HEAD"
]
},
{
"type": "pathMatch",
"positiveMatch": true,
"value": [
"/H",
"/Li",
"/He"
]
},
{
"type": "extensionMatch",
"positiveMatch": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Li",
"He",
"H"
]
},
{
"type": "filenameMatch",
"positiveMatch": true,
"valueWildcard": false,
"valueCase": false,
"value": [
"He",
"H",
"Li"
]
},
{
"type": "requestProtocolVersionMatch",
"positiveMatch": true,
"value": "HTTP/0.9"
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"H",
"He"
],
"value": [
"Li",
"He",
"H"
]
},
{
"type": "requestHeaderMatch",
"positiveMatch": true,
"valueCase": true,
"valueWildcard": true,
"nameWildcard": true,
"name": [
"He"
],
"value": [
"C",
"Be",
"B"
]
},
{
"type": "headerOrderMatch",
"positiveMatch": true,
"value": "H:He"
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "H",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"H",
"He",
"Li"
]
},
{
"type": "cookieMatch",
"positiveMatch": true,
"name": "Be",
"nameWildcard": true,
"nameCase": true,
"valueCase": true,
"valueWildcard": true,
"value": [
"O",
"N",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "C",
"nameCase": true,
"nameWildcard": true,
"valueWildcard": true,
"valueCase": true,
"value": [
"Carbon",
"C"
]
},
{
"type": "uriQueryMatch",
"positiveMatch": true,
"name": "N",
"nameCase": false,
"nameWildcard": false,
"valueWildcard": false,
"valueCase": false,
"value": [
"Nitrogen",
"N"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "H",
"value": [
"H",
"Hydrogen"
]
},
{
"type": "argsPostMatch",
"positiveMatch": true,
"name": "He",
"value": [
"He",
"Helium"
]
},
{
"type": "argsPostNamesMatch",
"positiveMatch": true,
"value": [
"Carbon",
"Oxygen",
"Nitrogen",
"Chlorine"
]
},
{
"type": "clientCertPresentMatch",
"positiveMatch": true
},
{
"type": "clientCertValidMatch",
"positiveMatch": true
},
{
"type": "clientTlsFingerprintMatch",
"positiveMatch": true,
"value": [
"aebbfa8e53e8661f"
]
},
{
"type": "hostMatch",
"positiveMatch": true,
"value": [
"example.com",
"*.Nitrogen.gb"
]
}
]
}
CustomRule members
| Member | Type | Required | Description |
|---|---|---|---|
CustomRule: Contains settings for a custom rule. |
|||
conditions |
Custom |
○ | Contains the details about the condition that triggers the custom rule. |
description |
String | ○ | The custom rule description. |
id |
Integer | ○ | Uniquely identifies the rule. |
inspectRequest |
Boolean | ○ | Read-only. Whether to inspect the HTTP request for unstructured custom rules. |
inspectResponse |
Boolean | ○ | Read-only. Whether to inspect the HTTP response for unstructured custom rules. |
link |
String | ○ | The link to the full custom rule definition. This member is only available when you run the List custom rules operation. |
metadata |
String | ○ | Read-only. The metadata you provided for unstructured custom rules. |
name |
String | ✓ | The custom rule name. |
ruleActivated |
Boolean | ○ | Read-only. Whether the rule is active in the configuration. |
status |
Enumeration | ○ | The custom rule deployment status. Either activated if a rule is enabled in at least one security policy within a security configuration currently active in production, published if a rule is associated with at least one security policy in an inactive security configuration, or unused if a rule exists as a shared resource, but isn’t associated with any security policy. This member is only available when you run the List custom rules operation. |
structured |
Boolean | ○ | Read-only. Whether you created the rule with the structured custom rule builder or free-form XML. |
tag |
Array | ○ | A list of labels you assigned to a custom rule. |
version |
Integer | ○ | The custom rule version. |
CustomRule.conditions[]: Contains the details about the condition that triggers the custom rule. |
|||
name |
Array, String | ○ | The list of names that trigger the condition when matched or not matched. Depending on the condition type, can either be a string or an array. |
nameCase |
Boolean | ○ | Whether to consider the case-sensitivity of the provided query parameter name. This only applies to the uriQueryMatch condition type. |
nameWildcard |
Boolean | ○ | Whether the provided header name is a wildcard. This only applies to the requestHeaderMatch condition type. |
positiveMatch |
Boolean | ○ | Whether the condition should trigger on a match (true) or a lack of match (false). |
type |
Enumeration | ○ | The type of condition. See CustomRule condition type values. |
value |
Array, String | ○ | The list of values that trigger the condition when matched or not matched. Depending on the condition type, can either be a string or an array. |
valueCase |
Boolean | ○ | Whether to consider the case-sensitivity of the provided header value. This only applies to the requestHeaderMatch condition type. |
valueWildcard |
Boolean | ○ | Whether the provided header value is a wildcard. This only applies to the requestHeaderMatch condition type. |
CustomRule condition type values
You can specify any of these values as a CustomRule
condition type:
| type value… | Matches on… |
|---|---|
argsPostMatch |
POST request body parameters |
argsPostNamesMatch |
POST request body parameter names |
clientCertPresentMatch |
Presence of a client certificate |
clientCertValidMatch |
Validity of a client certificate |
clientTlsFingerprintMatch |
A client’s TLS fingerprint |
cookieMatch |
Cookies |
extensionMatch |
Extensions |
filenameMatch |
File names |
headerOrderMatch |
A specific order of headers |
hostMatch |
Host templates |
ipMatch |
IP addresses |
pathMatch |
Paths |
requestHeaderMatch |
Request headers |
requestMethodMatch |
Request methods |
requestProtocolVersionMatch |
Request protocol versions |
uriQueryMatch |
Query parameters |
CustomRuleActions
Contains settings for custom rule actions.
Download schema:
customRuleActions.json
Sample GET response:
{
"customRules": [
{
"action": "alert",
"link": "/appsec/v1/configs/16400/custom-rules/622918",
"name": "Custom Rule Example 1",
"id": 622918
},
{
"action": "none",
"link": "/appsec/v1/configs/16400/custom-rules/657604",
"name": "Custom Rule Example 2",
"id": 657604
},
{
"action": "deny",
"link": "/appsec/v1/configs/16400/custom-rules/615894",
"name": "Custom Rule Example 3",
"id": 615894
}
]
}
CustomRuleActions members
| Member | Type | Required | Description |
|---|---|---|---|
CustomRuleActions: Contains settings for custom rule actions. |
|||
action |
Enumeration | ✓ | The action to assign to this custom rule, either alert, deny, or none. Use deny_custom_{custom_deny_id} to apply a custom action instead of Akamai’s default. Run Modify a custom deny action to manage your custom deny actions. If the action is none, the rule is inactive in the policy. |
id |
Integer | ○ | The rule ID. |
link |
String | ✓ | Read-only. The link to additional information about the rule associated with this policy or the latest version of a rule if action is set to none (unassociated). |
name |
String | ✓ | Read-only. The name you assign to the custom rule. |
status |
Enumeration | ○ | Read-only. The custom rule action’s activation status. The custom rule deployment status. Either activated if a rule is enabled in at least one security policy within a security configuration currently active in production, published if a rule is associated with at least one security policy in an inactive security configuration, or unused if a rule exists as a shared resource, but isn’t associated with any security policy. |
version |
Integer | ○ | Read-only. The rule version. |
ApiConstraints
Sets various API constraint actions, which apply when an API constraint is triggered by a request.
Download schema:
apiRequestConstraintsActionPutRequest.json
Sample PUT request:
{
"action": "alert"
}
ApiConstraints members
| Member | Type | Required | Description |
|---|---|---|---|
ApiConstraints: Sets various API constraint actions, which apply when an API constraint is triggered by a request. |
|||
action |
Enumeration | ✓ | The action to assign to API request constraints, either alert, deny, or none. Use deny_custom_{custom_deny_id} to apply a custom action instead of Akamai’s default. Run Modify a custom deny action to manage your custom deny actions. If the action is none, the rule is inactive in the policy. |
ApiEndpoint
API Endpoint JSON Properties
Download schema:
apiEndpoint.json
Sample GET request:
{
"apiEndpoints": [
{
"id": 619183,
"name": "Orders",
"basePath": "/v1/orders",
"requestConstraintsEnabled": false,
"apiEndPointHosts": [
"sg.akamai.com"
],
"stagingVersion": {
"status": "ACTIVE",
"versionNumber": 1
},
"productionVersion": {
"status": "ACTIVE",
"versionNumber": 1
}
},
{
"id": 624913,
"name": "Catalog",
"basePath": "/v1/catalog",
"requestConstraintsEnabled": true,
"apiEndPointHosts": [
"sg.akamai.com"
],
"stagingVersion": {
"status": "ACTIVE",
"versionNumber": 1
},
"productionVersion": {
"status": "ACTIVE",
"versionNumber": 1
}
}
]
}
ApiEndpoint members
| Member | Type | Required | Description |
|---|---|---|---|
ApiEndpoint: API Endpoint JSON Properties |
|||
apiEndPointHosts |
Array | ○ | The set of hostnames that allow access to this API. |
apiResources |
Api |
○ | A list of this API endpoint’s functional URL patterns. |
basePath |
String | ○ | The API endpoint’s base path. |
categories |
Api |
○ | The categories this API endpoint belongs to. |
id |
Number | ○ | A unique identifier for an API endpoint. |
name |
String | ○ | The name for this API endpoint. |
production |
Api |
○ | Summarizes this API endpoint’s current deployment on Akamai’s production network. |
request |
Boolean | ○ | Whether to allow API constraints for this endpoint. |
stagingVersion |
Api |
○ | Summarizes this API endpoint’s current deployment on Akamai’s staging network. |
ApiEndpoint.apiResources[]: A list of this API endpoint’s functional URL patterns. |
|||
id |
Number | ○ | A unique identifier an API resource. |
name |
String | ○ | The name for an API resource. |
path |
String | ○ | The path for an API resource. |
ApiEndpoint.categories[]: The categories this API endpoint belongs to. |
|||
categoryId |
Number | ○ | A unique identifier for a category. |
categoryName |
String | ○ | The name for a category. |
ApiEndpoint.productionVersion: Summarizes this API endpoint’s current deployment on Akamai’s production network. |
|||
status |
String | ○ | The production status. |
versionNumber |
Number | ○ | The production version number. |
ApiEndpoint.stagingVersion: Summarizes this API endpoint’s current deployment on Akamai’s staging network. |
|||
status |
String | ○ | The staging status. |
versionNumber |
Number | ○ | The staging version number. |
AttackGroup
Describes the attack group object. Currently, the only member in an attack group object is the action.
Download schema:
securityPolicyGetAttackGroupsActionsSuccess.json
Sample GET request:
{
"attackGroupActions": [
{
"action": "deny",
"group": "TOOL"
},
{
"action": "none",
"group": "PROTOCOL"
},
{
"action": "alert",
"group": "SQL"
},
{
"action": "deny",
"group": "XSS"
},
{
"action": "deny",
"group": "LFI"
},
{
"action": "deny",
"group": "RFI"
},
{
"action": "deny",
"group": "CMDI"
},
{
"action": "none",
"group": "PLATFORM"
}
]
}
AttackGroup members
| Member | Type | Required | Description |
|---|---|---|---|
AttackGroup: Describes the attack group object. Currently, the only member in an attack group object is the action. |
|||
attack |
Attack |
○ | Attack Group JSON Properties. |
AttackGroup.attackGroupActions[]: Attack Group JSON Properties. |
|||
action |
Enumeration | ✓ | The attack group action, either alert, deny, or none. If the action is none, the attack group is inactive in the security policy. |
group |
String | ✓ | The ID for the attack group. |
Mode
The GET Response JSON for the security policy mode
Download schema:
securityPolicyGetModeSuccess.json
Sample GET response:
{
"mode": "KRS",
"current": "KRS 1.0 (Apr 20, 2020)",
"eval": "disabled"
}
Mode members
| Member | Type | Required | Description |
|---|---|---|---|
Mode: The GET Response JSON for the security policy mode |
|||
current |
String | ○ | The current rule set version and the ISO 8601 date the rule set version was introduced. This date acts like a version number. |
eval |
Boolean | ○ | Whether the evaluation mode is enabled or disabled. |
evaluating |
String | ○ | The evaluation rule set version and the ISO 8601 date the evaluation starts. |
expires |
String | ○ | The ISO 8601 time stamp when the evaluation is expiring. This value only appears when eval is set to enabled. |
mode |
Enumeration | ✓ | The security policy mode. Use KRS to update manually, or AAG to update automatically. For Adaptive Security Engine rule sets, use ASE_AUTO for automatic updates to the ASE evaluation rules, or ASE_MANUAL to manually retrieve current evaluation rules. When not specified, the mode uses default settings. For a KRS 1.0 policy, that means using the KRS 1.0 rule set. |
Action
Describes the members of a rule’s actions.
Download schema:
securityPolicyGetRuleActionsSuccess.json
Sample GET response:
{
"ruleActions": [
{
"action": "alert",
"id": 699989
},
{
"action": "alert",
"id": 699990
},
{
"action": "alert",
"id": 699991
},
{
"action": "alert",
"id": 699992
},
{
"action": "alert",
"id": 699993
},
{
"action": "alert",
"id": 699994
}
]
}
Action members
| Member | Type | Required | Description |
|---|---|---|---|
Action: Describes the members of a rule’s actions. |
|||
ruleActions |
Action. |
○ | The list of rule actions, either alert, deny, deny_custom_{custom_deny_id}, or none. If the action is none, the rule is inactive in the policy. |
Action.ruleActions[]: The list of rule actions, either alert, deny, deny_custom_{custom_deny_id}, or none. If the action is none, the rule is inactive in the policy. |
|||
action |
Enumeration | ✓ | The list of rule actions, either alert, deny, or none. Use deny_custom_{custom_deny_id} to apply a custom action instead of Akamai’s default. Run Modify a custom deny action to manage your custom deny actions. If the action is none, the rule is inactive in the policy. |
id |
Integer | ✓ | The unique identifier for each rule. |
PenaltyBox
Contains action settings for penalty box protection.
Download schema:
penaltyBoxDto.json
Sample GET response:
{
"action": "alert",
"penaltyBoxProtection": true
}
PenaltyBox members
| Member | Type | Required | Description |
|---|---|---|---|
PenaltyBox: Contains action settings for penalty box protection. |
|||
action |
Enumeration | ○ | Specifies the action for penalty box. Either alert, deny, or none. Use deny_custom_{custom_deny_id} to apply a custom action instead of Akamai’s default. Run Modify a custom deny action to manage your custom deny actions. |
penalty |
Boolean | ✓ | Specifies whether penalty box protection is enabled for the security policy. When set to true the action occurs if triggered by a request. |
ReputationProfile
Contains details about a reputation profile.
Download schema:
reputationProfile.json
ReputationProfile members
| Member | Type | Required | Description |
|---|---|---|---|
ReputationProfile: Contains details about a reputation profile. |
|||
condition |
Reputation |
○ | Contains information about the criteria that trigger the reputation profile. |
context |
Enumeration | ✓ | Identifies the reputation category. Web scrapers (WEBSCRP) crawl sites and collect data like hotel rates, product prices, store locations, and more. DoS attackers (DOSATCK) are web clients or botnets that use automated tools to launch volumetric Denial of Service (DoS) attacks. Web attackers (WEBATCK) target websites and web apps with techniques like SQL injection, remote file inclusion, or cross-site scripting. Scanning tools (SCANTL) probe web apps for vulnerabilities during an attack’s reconnaissance phase. |
contextReadable |
String | ○ | Read-only. Describes the reputation category. |
description |
String | ○ | Describes the reputation profile. |
enabled |
Boolean | ○ | Read-only. Whether you enabled the reputation profile. |
id |
Integer | ○ | Read-only. Uniquely identifies the reputation profile. |
name |
String | ✓ | The name you assigned to the reputation profile. |
sharedIpHandling |
Enumeration | ✓ | Identifies the IP sharing. Either NON_SHARED, SHARED_ONLY, BOTH. |
threshold |
Number | ✓ | The threshold when the profile to triggers. |
ReputationProfile.condition: Contains information about the criteria that trigger the reputation profile. |
|||
atomicConditions |
Reputation |
○ | The conditions that trigger the reputation profile. |
positiveMatch |
Boolean | ○ | Whether the condition should trigger on a match (true) or a lack of match (false). |
ReputationProfile.condition.atomicConditions[]: The conditions that trigger the reputation profile. |
|||
positiveMatch |
Boolean | ○ | Whether the condition should trigger on a match (true) or a lack of match (false). |
type |
Enumeration | ○ | The condition type. For available values, see Condition Values. |
value |
Array | ○ | The list of values that trigger the condition. |
valueCase |
Boolean | ○ | Whether to consider the character case when comparing the value string with the request value. The default is false, meaning that a value such as url would match a string UrL in the request. |
valueWildcard |
Boolean | ○ | Whether to treat the asterisk (*) and question mark (?) as wildcards when comparing the value string with the request value. Note that setting this to false isn’t supported by the host condition, and means that the value string must match exactly. |
Condition values
Set these conditions to apply a reputation based on the content of the conditions. If you set multiple conditions, the request needs to match them all for the profile to apply.
| Condition name | Description |
|---|---|
NetworkListCondition |
Apply the profile to requesting clients within specific network lists. |
AsNumberCondition |
Autonomous System Number (ASN) identifies the network from which the request originated. |
IpAddressCondition |
Apply the profile by the IP/CIDR of the requesting client. |
RequestCookieCondition |
Apply the profile based on a cookie. Use the ? wildcard to replace any single character and * to replace a string of characters. You can also match on case sensitivity. |
RequestHeaderCondition |
Match on a specific header and its value. |
HostCondition |
Apply the reputation profile to specific domains. Use the ? wildcard to replace any single character and * to replace a string of characters. |
UrlPatternCondition |
Apply the profile when a client requests a specific path. |
ReputationProfileAction
The GET Response JSON for reputation profile actions.
Download schema:
reputationProfileGetActionsSuccess.json
Sample GET request:
{
"action": "alert"
}
ReputationProfileAction members
| Member | Type | Required | Description |
|---|---|---|---|
ReputationProfileAction: The GET Response JSON for reputation profile actions. |
|||
reputation |
Reputation |
○ | Reputation Profile JSON Properties |
ReputationProfileAction.reputationProfiles[]: Reputation Profile JSON Properties |
|||
action |
Enumeration | ✓ | The action for the reputation profile. Use alert to record the trigger of the event, deny to block the request, or none to take no action. Use deny_custom_{custom_deny_id} to apply a custom action instead of Akamai’s default. Run Modify a custom deny action to manage your custom deny actions. |
id |
Integer | ✓ | The unique identifier for a Reputation Profile. |
ReputationAnalysis
The PUT Request JSON for reputation analysis settings.
Download schema:
reputationAnalysisSettingsPutRequest.json
Sample PUT request:
{
"action": "alert"
}
ReputationAnalysis members
| Member | Type | Required | Description |
|---|---|---|---|
ReputationAnalysis: The PUT Request JSON for reputation analysis settings. |
|||
forward |
Boolean | ○ | Whether to enable the option to add value indicating that shared IPs are included in HTTP header and SIEM integration when used. |
forward |
Boolean | ○ | Whether to enable the option to add client reputation details to requests forwarded to origin in an HTTP header. |
SIEM
Contains Security Information Event Management (SIEM) integration settings.
Download schema:
siemSettings.json
Sample GET request:
{
"enableForAllPolicies": false,
"enableSiem": true,
"enabledBotmanSiemEvents": false,
"siemDefinitionId": 1,
"firewallPolicyIds": [
"qik2_38799",
"4444_44572",
"teet_39295",
"ds22_48583"
]
}
SIEM members
| Member | Type | Required | Description |
|---|---|---|---|
SIEM: Contains Security Information Event Management (SIEM) integration settings. |
|||
enabled |
Boolean | ○ | Whether you enabled SIEM for the Bot Manager events. |
enable |
Boolean | ○ | Whether you enabled SIEM for all the security policies in the configuration version. |
enableSiem |
Boolean | ✓ | Whether you enabled SIEM in a security configuration version. |
firewall |
Array | ○ | The list of security policy identifiers for which to enable the SIEM integration. |
siemDefinitionId |
Integer | ○ | Uniquely identifies the SIEM settings. |
Protections
The PUT Request JSON for security policy protections.
Download schema:
securityPolicySetProtectionsRequest.json
Sample PUT request:
{
"applyApiConstraints": false,
"applyApplicationLayerControls": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applySlowPostControls": true,
"applyReputationControls": true
}
Protections members
| Member | Type | Required | Description |
|---|---|---|---|
Protections: The PUT Request JSON for security policy protections. |
|||
apply |
Boolean | ○ | When enabled, this protection responds to triggers with a specified action. |
apply |
Boolean | ○ | When enabled, your security policy applies the Web Application Firewall controls to your traffic. |
apply |
Boolean | ○ | When enabled, your security policy applies the network layer control settings to your traffic. |
apply |
Boolean | ○ | When enabled, your security policy applies the rate control settings to your traffic. Rate controls monitor and flag traffic too fast to be from a human. |
apply |
Boolean | ○ | When enabled, your security policy applies the reputation profile settings to your traffic. Reputation profile analyzes IP addresses based on their prior interactions with Akamai customers, then alerts on or blocks potentially malicious IP addresses from issuing requests |
apply |
Boolean | ○ | When enabled, your security policy applies the slow post protection settings to your traffic. Slow post protection prevents requests that take too long to complete, tying up a web server and risking a Denial-of-Service to your users. |
Activation
Contains activation settings for a configuration version.
Download schema:
activations-request.json, activation-status.json
Sample POST request:
{
"action": "ACTIVATE",
"network": "STAGING",
"note": "Free text notes",
"notificationEmails": [
"a@example.com",
"b@example.com"
],
"activationConfigs": [
{
"configId": 1,
"configVersion": 4
}
]
}
Sample GET response:
{
"dispatchCount": 1,
"activationId": 1234,
"action": "ACTIVATE",
"status": "RECEIVED",
"network": "PRODUCTION",
"estimate": "PTM5",
"createdBy": "user1",
"createDate": "2013-10-07T17:41:52+00:00",
"activationConfigs": [
{
"configId": 1,
"configName": "config 1",
"configVersion": 4,
"previousConfigVersion": 2
}
]
}
Activation members
| Member | Type | POST | GET | Description | ||||
|---|---|---|---|---|---|---|---|---|
Activation: Contains activation settings for a configuration version. |
||||||||
acknowledged |
Array | ○ | ✗ | The list of invalid hostnames in the security configuration to activate. In some cases, you may want to activate a security configuration with hostnames that WAF can’t protect (for example, hostnames not managed as Akamai properties, or managed under a different contract than the configuration). By default, the existence of invalid hostnames blocks activation with a warning. The warning includes the names of the invalid hostnames. If you want to activate a configuration with invalid hostnames, enter the hostnames in this array. This field is now deprecated. Use acknowledgedInvalidHostsByConfig instead. |
||||
acknowledged |
Activation. |
○ | ✗ | The list of invalid hostnames per security configuration to activate. In some cases, you may want to activate a security configuration with hostnames that WAF can’t protect (for example, hostnames not managed as Akamai properties, or managed under a different contract than the configuration). By default, the existence of invalid hostnames blocks activation with a warning. The warning includes the names of the invalid hostnames. If you want to activate a configuration with invalid hostnames, enter the hostnames and the configuration ID in this array. | ||||
action |
Enumeration | ✓ | ✓ | The action to take, either ACTIVATE or DEACTIVATE. |
||||
activation |
Activation. |
✓ | ✓ | Specifies the security configuration and version to activate or deactivate. | ||||
activationId |
Number | ✗ | ✓ | Uniquely identifies the activation. | ||||
completionDate |
String | ✗ | ○ | Read-only. The ISO 8601 timestamp at which the activation reaches a steady state and validates across the Akamai network. | ||||
createDate |
String | ✗ | ✓ | Read-only. The ISO 8601 timestamp at which the activation request was submitted. | ||||
createdBy |
String | ✗ | ✓ | Read-only. The user who created the activation request. | ||||
dispatchCount |
Integer | ✗ | ○ | Read-only. The number of times which this activation has been dispatched to the Akamai edge network. A number greater than 1 indicates that this activation may be retried due to network safety concerns. | ||||
estimate |
String | ✗ | ○ | The estimated time remaining to complete the activation in ISO 8601 duration format, starting when the response is generated. | ||||
network |
Enumeration | ✓ | ✓ | The target Akamai activation environment, either STAGING or PRODUCTION. |
||||
note |
String | ○ | ✗ | The notes you entered for the activation. | ||||
notification |
Array | ○ | ✗ | The email addresses to notify when the activation happens. | ||||
status |
Enumeration | ✗ | ✓ | The current activation status, either RECEIVED, LIVE, DEPLOYED, CANCELING, STOPPED, REMOVED, ROLLBACK, ACTIVATED, FAILED, CANCELLING, or UNDEPLOYED. |
||||
Activation.acknowledgedInvalidHostsByConfig[]: The list of invalid hostnames per security configuration to activate. In some cases, you may want to activate a security configuration with hostnames that WAF can’t protect (for example, hostnames not managed as Akamai properties, or managed under a different contract than the configuration). By default, the existence of invalid hostnames blocks activation with a warning. The warning includes the names of the invalid hostnames. If you want to activate a configuration with invalid hostnames, enter the hostnames and the configuration ID in this array. |
||||||||
configId |
Number | ✓ | ✗ | Uniquely identifies the security configuration with invalid hostnames. | ||||
invalidHosts |
Array | ✓ | ✗ | The list of invalid hostnames in the security configuration. | ||||
Activation.activationConfigs[]: Specifies the security configuration and version to activate or deactivate. |
||||||||
configId |
Number | ✓ | ✓ | The origin identifier or destination configuration to activate. | ||||
configName |
String | ✗ | ○ | The name you assigned to the configuration. This field is provided for information purposes and only appears in the API output. | ||||
configVersion |
Number | ✓ | ✓ | The origin version or destination configuration to activate. | ||||
previous |
Number | ✗ | ○ | Read-only. The previous active configuration version. | ||||
Export
Contains details about an exported security configuration version.
Download schema:
export.json
Sample GET response:
{
"configId": 48579,
"configName": "New Security Config",
"version": 2,
"basedOn": 1,
"createDate": "2017-09-08T22:24:41Z",
"createdBy": "disharma",
"selectableHosts": [
"www.example1.com",
"www.example2.com"
],
"selectedHosts": [
"www.example3.com",
"www.example4.com"
],
"staging": {
"status": "Inactive"
},
"production": {
"status": "Inactive"
},
"matchTargets": {
"websiteTargets": [
{
"type": "website",
"defaultFile": "NO_MATCH",
"id": 1362593,
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"sequence": 1,
"fileExtensions": [
"jpg"
],
"filePaths": [
"/path"
],
"effectiveSecurityControls": {
"applyApplicationLayerControls": true,
"applyApiConstraints": true,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "qik3_38800"
},
"bypassNetworkLists": [
{
"id": "11212_BYPASSURR",
"name": "bypass-URR"
}
]
},
{
"type": "website",
"defaultFile": "NO_MATCH",
"id": 1362594,
"isNegativeFileExtensionMatch": false,
"isNegativePathMatch": false,
"sequence": 2,
"filePaths": [
"/images",
"/image1",
"/path"
],
"hostnames": [
"b2c.div1.akamaniac.com"
],
"effectiveSecurityControls": {
"applyApplicationLayerControls": true,
"applyApiConstraints": true,
"applyNetworkLayerControls": true,
"applyRateControls": true,
"applyReputationControls": true,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "qik2_38799"
}
}
],
"apiTargets": [
{
"type": "api",
"id": 1362597,
"sequence": 6,
"effectiveSecurityControls": {
"applyApplicationLayerControls": false,
"applyApiConstraints": false,
"applyNetworkLayerControls": false,
"applyRateControls": true,
"applyReputationControls": false,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "99e_47293"
},
"apis": [
{
"id": 1041,
"name": "hmm test"
}
],
"bypassNetworkLists": [
{
"id": "1024_AMAZONELASTICCOMPUTECLOU",
"name": "Ec2 Akamai Network List"
},
{
"id": "1283_MICROSOFTWINDOWSAZUREDAT",
"name": "Azure IP range cloud services"
}
]
},
{
"type": "api",
"id": 1362598,
"sequence": 7,
"effectiveSecurityControls": {
"applyApplicationLayerControls": false,
"applyApiConstraints": true,
"applyNetworkLayerControls": true,
"applyRateControls": false,
"applyReputationControls": true,
"applySlowPostControls": false
},
"securityPolicy": {
"policyId": "4444_44572"
},
"apis": [
{
"id": 1001,
"name": "1001"
},
{
"id": 1041,
"name": "hmm test"
}
],
"bypassNetworkLists": [
{
"id": "11212_BYPASSURR",
"name": "bypass-URR"
}
]
}
]
},
"siem": {
"configId": 77653,
"configVersion": 22,
"enableForAllPolicies": false,
"enableSiem": true,
"enabledBotmanSiemEvents": false,
"siemDefinitionId": 1,
"firewallPolicyIds": [
"qik2_38799",
"4444_44572",
"teet_39295",
"ds22_48583"
]
},
"advancedOptions": {
"logging": {
"allowSampling": true,
"cookies": {
"type": "exclude",
"values": [
"_updated_By_SoapUI",
"w",
"NEW_VAL_ADDED_BY_SoapUI"
]
},
"customHeaders": {
"type": "only",
"values": [
"112",
"sdasd",
"ds"
]
},
"standardHeaders": {
"type": "only"
}
},
"prefetch": {
"allExtensions": false,
"enableAppLayer": true,
"enableRateControls": false,
"extensions": [
"cgi",
"jsp",
"EMPTY_STRING",
"aspx",
"php",
"py",
"asp"
]
},
"pragmaHeader": {
"action": "REMOVE",
"conditionOperator": "AND",
"override": true,
"excludeCondition": [
{
"header": "Expect",
"positiveMatch": true,
"type": "requestHeaderValueMatch",
"useHeaders": false,
"valueCase": true,
"valueWildcard": true,
"value": [
"dasd"
]
},
{
"positiveMatch": true,
"type": "networkList",
"useHeaders": true,
"valueCase": false,
"valueWildcard": false,
"value": [
"62569_AEPUAT1PARTNERSSTRICTWL"
]
}
]
}
},
"errorHosts": [
{
"reasonCode": 400,
"hostname": "business.example.com",
"reason": "property is not active in either production or staging"
},
{
"reasonCode": 403,
"hostname": "anotherhostname.example.com",
"reason": "You don't have access to this property"
}
],
"ratePolicies": [
{
"averageThreshold": 3,
"burstThreshold": 2,
"clientIdentifier": "",
"createDate": "2017-09-08T22:24:42Z",
"id": 672601,
"matchType": "path",
"name": "dsafsfdsf",
"pathMatchType": "RequestDisabled",
"pathUriPositiveMatch": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": true,
"type": "BOTMAN",
"updateDate": "2017-09-08T22:24:42Z",
"useXForwardForHeaders": false,
"used": false,
"queryParameters": [
{
"name": "dasdasdasd*",
"positiveMatch": true,
"valueInRange": false,
"values": [
"dasdasdas8*&^"
]
}
]
},
{
"averageThreshold": 1000,
"burstThreshold": 10,
"clientIdentifier": "ip",
"createDate": "2017-09-08T22:24:42Z",
"description": "These Shared Resources will be available to all policies within the Security Configuration",
"id": 672607,
"matchType": "path",
"name": "These Shared Resources will be available to all policies within the Security Configuration",
"pathMatchType": "Custom",
"pathUriPositiveMatch": true,
"requestType": "ClientRequest",
"sameActionOnIpv6": true,
"type": "WAF",
"updateDate": "2017-09-08T22:24:42Z",
"useXForwardForHeaders": false,
"used": true,
"additionalMatchOptions": [
{
"positiveMatch": true,
"type": "NetworkListCondition",
"values": [
"25620_REPUTATIONWHITELIST174",
"11212_BYPASSURR"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET",
"HTTP_DELETE"
]
},
{
"positiveMatch": true,
"type": "UserAgentCondition",
"values": [
"MOZILLA",
"Googlebot"
]
},
{
"positiveMatch": true,
"type": "RequestMethodCondition",
"values": [
"GET",
"POST",
"HEAD"
]
},
{
"positiveMatch": true,
"type": "ResponseStatusCondition",
"values": [
"400",
"401",
"402",
"403",
"404",
"405",
"406",
"407",
"408",
"409",
"410",
"500",
"501",
"502",
"503",
"504"
]
}
],
"queryParameters": [
{
"name": "param1",
"positiveMatch": false,
"valueInRange": true,
"values": [
"value1"
]
}
]
}
],
"reputationProfiles": [
{
"context": "SCANTL",
"contextReadable": "Scanning Tools",
"enabled": true,
"id": 210588,
"name": "Scanning Tools (Low Threat)",
"threshold": 5
},
{
"context": "WEBATCK",
"contextReadable": "Web Attackers",
"enabled": false,
"id": 210578,
"name": "Web Attackers (Low Threat)",
"threshold": 5,
"condition": {
"canDelete": false,
"configVersionId": 152889,
"id": 88112456,
"name": "Cloned of 87956156 for version 152889",
"positiveMatch": true,
"uuid": "SEC_COND_88112456",
"version": 1504909482545,
"atomicConditions": [
{
"className": "RequestHeaderCondition",
"index": 1,
"nameWildcard": false,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": false,
"name": [
"test*"
],
"value": [
"test*"
]
},
{
"className": "RequestHeaderCondition",
"index": 2,
"nameWildcard": true,
"positiveMatch": true,
"valueCase": false,
"valueWildcard": true,
"name": [
"Head",
"Header"
],
"value": [
"Header value"
]
},
{
"checkIps": "connecting",
"className": "NetworkListCondition",
"index": 3,
"positiveMatch": true,
"value": [
"14121_IMAGEMANAGERSERVERS"
]
},
{
"className": "RequestCookieCondition",
"index": 4,
"name": "cookieName",