Datasheet

Fastly API Security

API securitySecurity

Fastly's API security enables visibility and protection against OWASP Top 10 API Security Risks, payloads targeting specific API protocols, and much more to protect your APIs everywhere they live.

On this page

Application Program Interfaces (APIs) have taken center stage as modern organizations adopt API-first approaches to application development. With recent studies uncovering that 83% of all web traffic is to API endpoints, their security has become a key focus for organizations worldwide.

API security for advanced threats

Fastly’s API security is built into our Next-Generation Web Application Firewall (NGWAF). Our protection enhances your security posture, unifies visibility and decisioning, and empowers application development for organizations making their applications faster, safer, and more engaging.

Enhance your security posture

APIs need protection no matter where they operate. The NGWAF runs natively in any cloud, data center, or container, with various deployment options at the code, web server, or API layer. Its flexible deployment enables visibility to external APIs based in tools like Kong or NGINX, and internal APIs like those in a service mesh. The NGWAF inspects all requests at runtime to enable automated traffic decisions like blocking, rate-limiting, and layered rulesets to secure applications from OWASP’s Top 10 API Security Risks, payloads targeting specific API protocols, and other API threats highlighted below. The NGWAF is deployable anywhere and protects your APIs everywhere, so you can scale with a single security partner that protects your applications no matter how you grow.

API Security Categories

Category

Attack Scenario

Unique Identifier Enumeration

Brute forcing sensitive IDs or tokens in APIs that are not searchable
or public leads to discovery and exposure of sensitive customer data,
unpublished media, payment information, PII, and other confidential data.

Account Takeover (credential stuffing)

Attackers use known lists of compromised credentials from common
password lists and breach data dumps to try to gain access to customer
accounts through authentication APIs.

Sensitive API Abuse

Targeting sensitive APIs such as gift card and credit card validation and
attempting to validate stolen credit cards, perform ecommerce gift card
fraud, obtain patient healthcare records.

Malicious bots

Malicious automation and bots are used to perform content scraping, tie up system resources, perform account brute forcing, and other actions.

Partner misuse

While organizations want to provide partners with access to APIs to
automate workflow, partners can easily accidentally overwhelm API
endpoints and create resource exhaustion or excessive costs through
unintended spikes in API requests.

Malicious or disallowed traffic sources

Bad actors using Tor attempt to access APIs from countries or
geographies where services aren’t legitimately provided. Or they attempt
to perform transactions from OFAC countries blocked due to regulatory
compliance.

Insider Threat

User management APIs abused by insiders to grant elevated access or
perform a high number of permissions changes.

Policy Enforcement

APIs attempting to be used from an untrusted device that does not contain
the right cookie or device identifier

OWASP Injection Issues /
Virtual Patching


APIs using unpatched or outdated third party frameworks / libraries, and
injection issues such as Command Execution, XSS, SQL Injection, and
others.

Rate limiting

Malicious attack tooling that performs a high velocity of requests leading
to stolen content or resource exhaustion.

Denial of Service

Targeting high system cost APIs such as database queries, search
pagination, data exports, etc.

Unify visibility and decisioning

API security is better in a platform. The NGWAF offers visibility into all API requests and decisioning logic out of the box, reducing the need for multiple solutions to provide comprehensive Layer 7 protection. By combining these two functionalities, the NGWAF offers analytics that can tell complete application security stories. The story can also be easily shared across the NGWAF’s numerous integrations with Security Information and Event Management (SIEM) platforms like Elastic and Datadog to combine its insights into your overarching security narrative. The NGWAF is a security platform that increases data insights and lowers your total cost of ownership, allowing you to make better informed security decisions and reallocate your budget toward new strategic initiatives.

Empower application development

Your security tech stack shouldn’t be a roadblock to API implementation. Using Fastly’s patented SmartParse contextual detection built into the NGWAF, you can easily protect commonly utilized REST and SOAP/XML, as well as recently popularized GraphQL, GRPC, and WebSocket endpoints. This coverage includes GraphQL inspection, which parses the contents of requests to inspect them and ensure malicious payloads aren’t hidden within the call. The NGWAF enables application developers to push releases faster while creating better customer experiences because they can leverage the latest APIs without negative security implications.

Get more from your API security

As you expose additional API endpoints, their security shouldn’t be a concern. Join leading companies like Doordash and Duo, who trust the NGWAF to protect their APIs and more. Contact us to get started.

Blog Post
Exploring the security implications of GraphQL

Learn defaults and controls for a safer and more successful GraphQL implementation.

Datasheet
Fastly Next-Gen WAF Datasheet

Learn how our Next-Gen WAF automatically protects against web layer attacks and easily integrates with DevOps tools.

Case Study
The Weather Company Case Study

The Weather Company forecasts accurate, reliable weather to 400 million monthly active users by partnering with Fastly

Datasheet
Fastly Next-Gen WAF Architecture and Deployment Overview

Details on the patented architecture of our WAF and deployment options available.

Ready to get started?

Get in touch.