Fastly API Security
Fastly's API security enables visibility and protection against OWASP Top 10 API Security Risks, payloads targeting specific API protocols, and much more to protect your APIs everywhere they live.
On this page
Application Program Interfaces (APIs) have taken center stage as modern organizations adopt API-first approaches to application development. With recent studies uncovering that 83% of all web traffic is to API endpoints, their security has become a key focus for organizations worldwide.
API security for advanced threats
Fastly’s API security is built into our Next-Generation Web Application Firewall (NGWAF). Our protection enhances your security posture, unifies visibility and decisioning, and empowers application development for organizations making their applications faster, safer, and more engaging.
Enhance your security posture
APIs need protection no matter where they operate. The NGWAF runs natively in any cloud, data center, or container, with various deployment options at the code, web server, or API layer. Its flexible deployment enables visibility to external APIs based in tools like Kong or NGINX, and internal APIs like those in a service mesh. The NGWAF inspects all requests at runtime to enable automated traffic decisions like blocking, rate-limiting, and layered rulesets to secure applications from OWASP’s Top 10 API Security Risks, payloads targeting specific API protocols, and other API threats highlighted below. The NGWAF is deployable anywhere and protects your APIs everywhere, so you can scale with a single security partner that protects your applications no matter how you grow.
API Security Categories
Category | Attack Scenario |
---|---|
Unique Identifier Enumeration | Brute forcing sensitive IDs or tokens in APIs that are not searchable |
Account Takeover (credential stuffing) | Attackers use known lists of compromised credentials from common |
Sensitive API Abuse | Targeting sensitive APIs such as gift card and credit card validation and |
Malicious bots | Malicious automation and bots are used to perform content scraping, tie up system resources, perform account brute forcing, and other actions. |
Partner misuse | While organizations want to provide partners with access to APIs to |
Malicious or disallowed traffic sources | Bad actors using Tor attempt to access APIs from countries or |
Insider Threat | User management APIs abused by insiders to grant elevated access or |
Policy Enforcement | APIs attempting to be used from an untrusted device that does not contain |
OWASP Injection Issues / | APIs using unpatched or outdated third party frameworks / libraries, and |
Rate limiting | Malicious attack tooling that performs a high velocity of requests leading |
Denial of Service | Targeting high system cost APIs such as database queries, search |
Unify visibility and decisioning
API security is better in a platform. The NGWAF offers visibility into all API requests and decisioning logic out of the box, reducing the need for multiple solutions to provide comprehensive Layer 7 protection. By combining these two functionalities, the NGWAF offers analytics that can tell complete application security stories. The story can also be easily shared across the NGWAF’s numerous integrations with Security Information and Event Management (SIEM) platforms like Elastic and Datadog to combine its insights into your overarching security narrative. The NGWAF is a security platform that increases data insights and lowers your total cost of ownership, allowing you to make better informed security decisions and reallocate your budget toward new strategic initiatives.
Empower application development
Your security tech stack shouldn’t be a roadblock to API implementation. Using Fastly’s patented SmartParse contextual detection built into the NGWAF, you can easily protect commonly utilized REST and SOAP/XML, as well as recently popularized GraphQL, GRPC, and WebSocket endpoints. This coverage includes GraphQL inspection, which parses the contents of requests to inspect them and ensure malicious payloads aren’t hidden within the call. The NGWAF enables application developers to push releases faster while creating better customer experiences because they can leverage the latest APIs without negative security implications.
Get more from your API security
As you expose additional API endpoints, their security shouldn’t be a concern. Join leading companies like Doordash and Duo, who trust the NGWAF to protect their APIs and more. Contact us to get started.
Related resources
Learn defaults and controls for a safer and more successful GraphQL implementation.
Learn how our Next-Gen WAF automatically protects against web layer attacks and easily integrates with DevOps tools.
The Weather Company forecasts accurate, reliable weather to 400 million monthly active users by partnering with Fastly
Details on the patented architecture of our WAF and deployment options available.