This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Preventing cross-site scripting, SQL injection for API security

Posted on 10-19-2017 06:37 PM
ramnath_ananth
New Member
Reply posted on --/--/---- --:-- AM

Hi,

We want to secure our apis from cross-site scripting, SQL injection and validating the json request before sending it to the backend. Is there any out of box policies for the above security measures ?

I know APIGEE has JSON threat protection OOB, but can we extend it ? Please let me know if there are extension available for SQL injection, cross-site scripting etc.

Thanks

Solved Solved
0 3 2,341
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
robert
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi @Ram,

You cannot extend the pre-built policies. That is what the extension policies are designed to handle.

However, for your use case, it would seem sensible to use multiple protection policies. First, to help with checking the JSON payload, yes, leverage the JSON Protection Policy. The next policy in the flow should be the Regular Expression Protection policy. RegEX Protection Policy is how we recommend checking for SQL injection, Script Injection, etc..

Here's a link: RegEX Protection Policy

Please let me know if any further comments? If I have answered your question, please click accept.

View solution in original post

Jump to Solution
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
kengilbert-1
New Member
Reply posted on --/--/---- --:-- AM

Hey Ram,

Take a look at the articles linked in this community answer. Mukundha, provided some great resources for tackling these types of security concerns.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
robert
Silver 2
Silver 2
Reply posted on --/--/---- --:-- AM

Hi @Ram,

You cannot extend the pre-built policies. That is what the extension policies are designed to handle.

However, for your use case, it would seem sensible to use multiple protection policies. First, to help with checking the JSON payload, yes, leverage the JSON Protection Policy. The next policy in the flow should be the Regular Expression Protection policy. RegEX Protection Policy is how we recommend checking for SQL injection, Script Injection, etc..

Here's a link: RegEX Protection Policy

Please let me know if any further comments? If I have answered your question, please click accept.

Jump to Solution
0 Likes

Posted on --/--/---- --:-- AM
ramnath_ananth
New Member
In response to robert
Reply posted on --/--/---- --:-- AM

Thanks Robert and kengilbert for the inputs ! I will look into the OOB policies.

Jump to Solution
0 Likes