How to configure the API security module - Web Application Firewall

The API security module is an independent module of Web Application Firewall (WAF) and must be separately purchased. The API security module automatically sorts the API assets of services that are protected by WAF and detects API risks based on a built-in detection mechanism and custom detection policies. The risks include unauthorized access to APIs, exposure of sensitive data, and exposure of internal APIs. The module allows you to view API exception events in reports, check the compliance of cross-border data transfer, and trace sensitive data leaks. The module also provides suggestions for handling detected risks and references for API lifecycle management. You can identify and manage all API assets that are required by your services and improve API security throughout the entire data flow. This topic describes how to configure the API security module.

Introduction

In the digital economy era, enterprises face a rapidly changing environment that demands quick response to external changes. To enhance efficiency, enterprises must share data with third parties. The use of APIs to facilitate communication between systems is an important means for internal and external system integration within enterprises. An increasing number of enterprises are opening up their capabilities and resources by using API platforms to build industrial ecosystems. This way, partners can leverage freely available and high-quality resources for rapid integration and innovation, which helps promote the birth of the API economy and generate more value from data exchanges. An important task of enterprises is to provide a large number of API services and value-added data services. However, with the rapid development of APIs, risks are also increasing. Unauthorized access to APIs by attackers, configuration errors, and illegitimate API access requests can lead to sensitive data leaks. To mitigate the risks, WAF monitors APIs and visualizes traffic to automatically identify and categorize API assets, and establishes models for legitimate access requests. This enables prompt identification and response to abnormal API access and ensures a handling loop.

Core benefits

The API security module can automatically identify APIs and detect API risks and attacks to meet your core requirements.

Detects all APIs that are required by your business. The API security module supports custom detection policies to help your security team configure comprehensive security protection for all APIs.
Detects API risks, such as unauthorized access, weak passwords, and API designs that do not comply with security conventions.
Detects API attacks, such as sensitive data thefts, API data crawling, brute-force attacks, dictionary attacks, and message flooding. This allows you to handle attacks and avoid business loss at the earliest opportunity.

Check the API security status

Before you enable the API security module, you can use basic detection to obtain security information about your APIs, including Security Event Overview, Total API Assets, and Security Events. By default, the basic detection module is enabled for subscription WAF 3.0 instances free of charge. The basic detection module analyzes WAF logs offline and displays API asset statistics, abnormal event statistics, and the latest 10 abnormal API calls.

If you do not want to obtain basic detection data, you can skip this operation.

Note

The basic detection module is unavailable for pay-as-you-go WAF 3.0 instances.
The display of the basic detection data and detection results may have latency. The detection capabilities of the basic detection module are not as strong as those of the API security module. As a result, the information obtained from the two modules may differ. The detection results of the API security module are more accurate.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > API Security.
In the Basic Detection section, view basic detection data.
- Security Event Overview: displays the total number of API security events, and the numbers of high-risk, medium-risk, and low-risk API security events.
- API Asset Overview: displays the total number of API assets, the number of active APIs, and the number of deactivated APIs.
- Security Events: displays the names, API paths, domain names, attack sources, and occurrence time of security events.
The basic detection module does not provide detailed data. If you want to view the number of APIs that transfer sensitive data or view risk details and risk handling suggestions for security events, you can enable the API security module. For more information, see Enable the API security module.

Feature description

The API security module automatically sorts the APIs of services that are protected by WAF and detects API security risks based on a built-in detection mechanism and custom detection policies. The module allows you to monitor cross-border transfers of sensitive data and trace sensitive data leaks. This can help you configure comprehensive management and security protection policies for your APIs. In addition to the statistics on the Overview tab, the API security module provides information on asset management, risks and events, compliance check and tracing and auditing, and policy configurations.

The asset management feature supports the query, statistics, and management of asset information.
The risks and events feature supports data query and statistics on risk detection, security events, and overall data.
If you want to transfer data to regions outside the Chinese mainland, you must apply to the national cyberspace administration through the local provincial cyberspace administration to arrange for a security assessment of the cross-border data transfer. You can use the compliance check and tracing and auditing features of the API security module to check and trace cross-border data transfer. The features are supported only in the Chinese mainland.
The policy configurations feature allows you to configure policies for risk detection, security events, sensitive data, authentication credentials, business purposes, lifecycle management, applicable objects, and log subscription. You can enable or disable the policies based on your business requirements. The feature supports built-in policies. You can also configure custom policies.

The following table describes the tabs on the API Security page and the features of the API Security module.

Tab	Feature	Description
Overview	-	This tab displays API asset trends, risk trends, risky site statistics, attack trends, statistics on attacked sites, statistics on sensitive data types in requests, and statistics on sensitive data types in responses.
Asset Management	Asset management	This feature analyzes access logs offline to automatically detect APIs and identify the reasons why APIs are called based on API characteristics.
Risk Detection	Risks and events	This feature detects various security risks, such as unauthorized access and sensitive data leaks, and provides risk analysis results and suggestions on how to handle the security risks.
Security Events	Risks and events	This feature monitors and analyzes API calls to quickly detect abnormal requests and attacks.
Compliance Check	Compliance check and tracing and auditing	The compliance check feature identifies risks that are associated with cross-border data transfer operations based on the Measures for the Security Assessment of Outbound Data Transfer. The API security module checks the compliance of transfer operations in the following scenarios: A critical information infrastructure operator or data processor that has processed the personal information of more than one million people provides personal information outside the Chinese mainland. A data processor that has provided the personal information of more than 100,000 people or the sensitive personal information of more than 10,000 people in total since January 1 of the previous year provides personal information outside the Chinese mainland.
Tracing and Auditing	Compliance check and tracing and auditing	The tracing and auditing feature performs cross-validation on security events by using logs and sensitive data samples when sensitive data security events occur.
Policy Configurations	Policy configurations	This feature supports built-in detection policies and allows you to configure custom detection policies. This increases the detection accuracy and recall rate of the API security module. You can also enable other features of the API security module for specific protected objects.

Enable the API security module

Preparations

A WAF 3.0 instance is purchased. For more information, see Purchase a subscription WAF 3.0 instance and Purchase a pay-as-you-go WAF 3.0 instance.

Note

The API security module is unavailable for protected objects that are added after you add Microservices Engine (MSE) instances or Function Compute-related domain names to WAF.

Procedure

Important

Data computing and analysis are performed offline. The API security module does not actively detect APIs and does not affect your workloads.
The API security module detects responses that have specific characteristics and determines whether data leaks occurred. After you enable the API security module, WAF is authorized to analyze the responses. Enable the API security module based on your business requirements.

Log on to the WAF 3.0 console. In the top navigation bar, select the resource group and region of the WAF instance. You can select Chinese Mainland or Outside Chinese Mainland.
In the left-side navigation pane, choose Protection Configuration > API Security.
Enable the API security module.
- Apply for a free trial of the API security module
  Note
  - You can apply for a free trial of the API security module only if you use a WAF Pro, Enterprise, or Ultimate instance. Each Alibaba Cloud account can apply for the free trial only once.
  - The free trial is valid for seven days. The security analysis results that are generated during the trial period are available only during the trial period. If you want to retain the security analysis results, enable the API security module before the trial period ends.
  On the API Security page, click Try Now. On the page that appears, fill out the application and click Submit.
  After Alibaba Cloud engineers receive your trial application, they will contact you within one week based on the contact information that you submit to confirm information that is related to your application. After your trial application is approved, the API security module is automatically enabled for your WAF instance.
- Enable the API security module
  1. On the API Security page, click Enable Now.
  2. In the Enable Now panel, set the API Security parameter to Enable, click Buy Now, and then complete the payment.

View API security data

On the Overview tab of the API Security page, you can view the following information: API Asset Trend, Risk Trend, Risky Site Statistics, Attack Trend, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types. The default statistical period is 30 days.

截屏2024-05-09 18

Supported query and filter operations

In the API Asset Trend, Risk Trend, and Attack Trend sections, you can click a legend item such as Total API Assets and Active APIs below a chart to filter data and view the data that you are interested in.
In the Risky Site Statistics, Statistics on Attacked Sites, Statistics on Request Sensitive Data Types, and Statistics on Response Sensitive Data Types sections, you can sort data in ascending or descending order.
To view more information about risk detection, you can click More in the upper-right corner of the Risky Site Statistics section to go to the related tab. You can also click a number in the section to go to the related tab and view detailed data that meets the filter conditions.
To view more information about security events, you can click More in the upper-right corner of the Statistics on Attacked Sites section to go to the related tab. You can also click a number in the section to go to the related tab and view detailed data that meets the filter conditions.
To view more information about asset management, you can click More in the upper-right corner of the Statistics on Request Sensitive Data Types or Statistics on Response Sensitive Data Types section. You can also click a number in the section to go to the related tab and view detailed data that meets the filter conditions.

FAQ

You can use CloudMonitor to configure monitoring and alerting for API security events. This allows WAF to send alert notifications to you when high-risk events are detected and helps you monitor the status of your API assets. For more information, see Configure CloudMonitor notifications.

What are the purposes of API calls that are classified by the API security module?

The API security module classifies APIs by purpose to help you identify the APIs of different features, such as the logon APIs, registration APIs, and text message sending APIs. This allows you to manage APIs by purpose and provides support for the detection of security risks and events in different scenarios. For example, if you want to detect the risk of brute-force attacks on accounts, you must identify logon APIs. The API security module also allows you to specify a custom purpose for an API and select multiple purposes to display related APIs. The purpose of an API is identified by matching the characteristics of the API path and the parameter names that are used in the API calls. The following table describes the built-in purposes supported by the API security module.

Purpose

Account Password-based Logon

Mobile Verification Code-based Logon

Email Verification Code-based Logon

WeChat Logon

Alipay Logon

OAuth Authentication

OIDC Authentication

SAML Authentication

SSO Authentication

Logon

Logoff

Account Password-based Registration

Mobile Verification Code-based Registration

Email Verification Code-based Registration

WeChat Registration

Alipay Registration

Registration Service

Short Message Sending

Mail Sending

Password Reset

Verification Code Verification

Status Check

Order Query

Order Export

Order Update

Order Payment

Log Query

Log Reporting

Log Export

Log Service

GraphQL

SQL Service

File Upload

File Download

File Service

Background Management

Dashboard

Monitoring Service

Information Sending

Data Check

Data Query

Data Upload

Data Download

Data Addition

Data Modification

Data Update

Data Sharing

Data Deletion

Data Synchronization

Data Submission

Data Copy

Data Auditing

Data Saving

Cancel

Start

Batch Processing

Suspension

Add

Debugging

Settings

What are the objects for which APIs are called to provide services?
The API security module allows you to view APIs by service object. For example, you can distinguish whether an API is intended for an internal-facing service or an external-facing service. Service objects are identified based on the naming conventions of APIs and the analysis of access source concentration. APIs are called to provide services for the following service objects:
- Internal Office: The API is called to provide services to internal employees.
- Cooperation with Third-party Partner: The API is called to provide services to third-party ecosystem partners.
- Public Service: The API is called to provide Internet-facing services.

What types of sensitive data can be detected by the API security module?

The detection model detects different types of sensitive data from the request and response content of an API call. The data sensitivity can be classified into the following levels in ascending order: S1, S2, S3, and S4. The sensitivity levels are in compliance with the practices of Data Security Center (DSC).

The following table describes the sensitive data types, sensitivity levels, and data categories.

Sensitive data type	Sensitivity level	Category
ID card number (Chinese mainland)	S3	Personal information and personal sensitive information
Debit card number	S3	Personal information and personal sensitive information
Name in simplified Chinese	S2	Personal information
Address (Chinese mainland)	S2	Personal information
Mobile phone number (Chinese mainland)	S2	Personal information
Email address	S2	Personal information
Passport number (Chinese mainland)	S3	Personal information and personal sensitive information
Permit number of the exit-entry permit for travelling to and from Hong Kong and Macao	S3	Personal information and personal sensitive information
License plate number (Chinese mainland)	S2	Personal information
Phone number (Chinese mainland)	S2	Personal information
Military officer card ID	S3	Personal information and personal sensitive information
Gender	S2	Personal information
Ethnicity	S2	Personal information
Province (Chinese mainland)	S1	/
City (Chinese mainland)	S1	/
ID card number (Hong Kong, China)	S3	Personal information and personal sensitive information
Name in traditional Chinese	S2	Personal information
Name in English	S2	Personal information
ID card number (Malaysia)	S3	Personal information and personal sensitive information
ID card number (Singapore)	S3	Personal information and personal sensitive information
Credit card number Loan bank card	S3	Personal information and personal sensitive information
SwiftCode SWIFT Code	S1	/
SSN	S3	Personal information and personal sensitive information
Telephone number (the United States)	S2	Personal information
Religion	S3	Personal information and personal sensitive information
IP address	S2	Personal information
MAC address	S2	Personal information
Java Database Connectivity (JDBC) connection string	S3	Personal information and personal sensitive information
Privacy Enhanced Mail (PEM) certificate	S2	Personal information and personal sensitive information
Private key	S3	Personal information and personal sensitive information
AccessKey ID	S3	Personal information and personal sensitive information
AccessKey Secret	S3	Personal information and personal sensitive information
IPv6 address	S2	Personal information
Date	S1	/
IMEI	S2	Personal information
MEID	S2	Personal information
Linux-Passwd file	S3	/
Linux-Shadow file	S3	/
URL	S1	/
Business license number	S1	/
Tax registration certificate number	S1	/
Organization code	S1	/
Unified social credit code	S1	/
Vehicle identification number	S2	/

What are the sensitivity levels of the API security module?
The sensitivity levels of APIs are classified into high sensitivity, moderate sensitivity, low sensitivity, and non-sensitive. The following list describes the rules for classifying API sensitivity levels.
- High sensitivity: The response of an API contains data types of the S3 level or higher, or more than 20 sensitive data entries of the S2-level data types are returned at the same time.
- Moderate sensitivity: The response of an API contains data types of the S2 level.
- Low sensitivity: The response of an API contains data types of the S1 level.
- Non-sensitive: The response of an API does not contain sensitive data.

What types of API risks can be detected by the API security module?

Category	Risk type	Risk level	Risk description	Suggestion
Security and Specifications	Insecure HTTP Methods	Low	The API risk detection model detects that the API uses insecure HTTP methods. Attackers may use such methods to detect server information or directly manipulate server data. For example, attackers may use the PUT method to upload malicious files and use the DELETE method to delete server resources.	We recommend that you transform the API based on your business requirements and disable insecure HTTP methods such as PUT, DELETE, TRACE, and OPTIONS.
	JWT Weak Signature Algorithm	Low	The API risk detection model detects that the API uses a weak signature algorithm for a JSON Web Token (JWT).	We recommend that you use a secure signature algorithm such as RS256 to ensure the key strength and security of keys during transmission and storage.
	Parameter as URL	Low	The API risk detection model detects that a request parameter of the API is set to a URL link. Attacks such as server-side request forgery (SSRF) attacks may occur.	We recommend that you transform the API based on your business requirements to prevent the direct use of user-controlled URLs in parameters. You must strictly limit the parameter content and filter out invalid characters.
Account Security	Password Plaintext Transmission	Low	The API risk detection model detects that account passwords are sent in plaintext. Attackers can use eavesdropping and similar tactics to intercept and steal user credentials during transmission. This can result in account theft.	We recommend that you encrypt or hash the password field before transmission to prevent interception and theft from attackers.
	Weak Password Tolerance	Low	The API risk detection model detects that the logon API has weak passwords. Attackers may perform brute-force attacks to steal accounts.	We recommend that you increase the password strength. The password must be at least 8 characters in length and contain at least 3 of the following types of characters: uppercase letters, lowercase letters, digits, and special characters. We also recommend that you notify users who have weak passwords to change their passwords at the earliest opportunity.
	Weak Password Vulnerability in Internal Application	High	The API risk detection model detects that weak passwords are used in the logon API for internal applications. Attackers may steal accounts by using brute-force attacks.	We recommend that you increase the password strength. The password must be at least 8 characters in length and contain at least 3 of the following types of characters: uppercase letters, lowercase letters, digits, and special characters. We also recommend that you notify users who have weak passwords to change their passwords at the earliest opportunity.
	Presence of Default Passwords	Medium	The API risk detection model detects that default passwords are used in applications associated with the API. Attackers can use the default passwords to access accounts whose passwords remain unchanged.	We recommend that you notify users of applications who use default passwords to change the default passwords upon their first logon. For users of existing accounts who still use default passwords, we recommend that you notify the users to change their passwords at the earliest opportunity.
	Return of Plaintext Password	Low	The API risk detection model detects that the response of the API contains plaintext passwords. Attackers can use eavesdropping and similar tactics to intercept and steal user credentials during transmission. This can result in account theft.	We recommend that you transform the API based on your business requirements to prevent the API from returning plaintext password information.
	Password Storage in Cookies	Low	The API risk detection model detects that the cookie of the API stores the account password information, which can be easily stolen by attackers.	We recommend that you transform the API based on your business requirements to prevent important and sensitive information, such as accounts and secrets, from being stored in cookies.
	Unrestricted Logon	Medium	The API risk detection model detects that no CAPTCHA mechanism is provided. Attackers can exploit this vulnerability to perform unlimited brute-force attacks on account passwords.	We recommend that you implement CAPTCHA measures, especially when multiple logon failures occur. You can enable CAPTCHA verification to prevent brute-force attacks.
	Unreasonable Logon Failure Prompt	Low	The API risk detection model detects that logon failure messages may reveal information about the existence of accounts. Attackers can exploit the messages to enumerate existing accounts and launch attacks or obtain business-critical data such as user registration quantity.	We recommend that you configure the system to display a message such as "Invalid username or password" when logon failures occur, instead of messages such as "Username does not exist", which may disclose account registration information.
	URL-based Account Password Transmission	Medium	The API risk detection model detects that account passwords are sent in plaintext by using URLs. Unauthorized access to URLs can result in credential leaks. URLs may be exposed in logs, Referers, or browser history data.	We recommend that you use the POST method to transfer confidential data in the request body.
Access Control	Internal Application Accessible from the Internet	Low	The API risk detection model detects that the API is used by internal applications and can be accessed over the Internet, and no access restrictions are implemented. Internal applications that are exposed to the Internet may be maliciously exploited or attacked by attackers.	We recommend that you configure access control policies. For example, you can configure an IP address whitelist to limit access sources.
	Unrestricted Access Sources	Low	The API risk detection model detects that some access sources of the API do not meet the baseline requirements. Access source can be IP addresses or regions.	We recommend that you configure access control policies. For example, you can configure IP address blacklists or IP address whitelists, or region blacklists to limit access sources.
	Unrestricted Access Tools	Low	The API risk detection model detects that the clients used to access the API do not meet the baseline requirements.	We recommend that you configure access control policies to limit access by clients. This helps prevent attackers from using malicious clients to attack the API or crawl data.
	Unrestricted Access Rate	Low	The API risk detection model detects that a single IP address is used to access the API at a high frequency. In this case, you can configure access control policies to restrict high-frequency access and prevent unauthorized calls to the API.	We recommend that you configure access control policies to restrict high-frequency access.
Permission Management	Weak Authentication Credential	Medium	The API risk detection model detects that the authentication credentials of the API do not have sufficient randomness, and therefore brute-force attacks can easily be performed on the API. This may result in unauthorized or privilege-escalated exploitation of the API.	We recommend that you enhance the randomness of authentication credentials to prevent credentials that are excessively short in length or have obvious format patterns.
	Unauthenticated Access to Sensitive API	High	The API risk detection model detects that the API contains highly sensitive data and the data can be accessed without authorization. This may result in sensitive data leaks.	We recommend that you add a strict and complete authentication mechanism to prevent unauthorized or privilege-escalated exploitation of the API.
	Unauthorized Access to Internal API	High	The API risk detection model detects that the API is used by internal applications and can be accessed without authorization. This may result in unauthorized use of internal applications or internal data leaks.	We recommend that you add a strict and complete authentication mechanism to prevent unauthorized or privilege-escalated exploitation of the API.
	URL-based Credential Transmission	Medium	The API risk detection model detects that authentication credential information is sent by using URLs. Unauthorized access to URLs can result in the risk of authorization misuse. URLs may be exposed in logs, Referers, or browser history data.	We recommend that you use other methods to pass authentication credentials, such as custom headers, cookies, and bodies.
	AccessKey Pair Information Leak	High	The API risk detection model detects that AccessKey IDs and AccessKey secrets are returned, which may be exploited by attackers.	We recommend that you transform the API based on your business requirements to prevent AccessKey pair information from being returned. The leaked AccessKey pairs must be disabled or deleted.
Data Protection	Excessive Types of Sensitive Data in Response	Medium	The API risk detection model detects that the response of the API contains an excessively large number of sensitive data types. This may result in the unnecessary exposure of data, which can lead to data leaks.	We recommend that you confirm the necessity of returning all data types based on your business requirements, mask important sensitive data, and delete unnecessary data types.
	Excessive Sensitive Data in Response	Medium	The API risk detection model detects that the response of the API contains sensitive data and the amount of returned data is not limited. This may lead to substantial data leaks.	We recommend that you limit the amount of data returned at a time based on your business requirements to prevent attackers from using the API to obtain a large amount of sensitive data.
	Inadequate Data De-identification	Medium	The API risk detection model detects that the response of the API contains original and masked versions of data at the same time.	We recommend that you identify risks based on sample data. For masked data, take measures to ensure that the data is not exposed in plaintext.
	Leak of Sensitive Server Information	High	The API risk detection model detects that the response of the API contains sensitive information about servers. Attackers may use the sensitive information to attack the servers and obtain control permissions.	We recommend that you perform troubleshooting based on sample data and check whether data is returned as expected. Do not allow data to be directly returned to the frontend.
	Internal IP Address Leak	Medium	The API risk detection model detects that the response of the API may contain internal IP addresses. Attackers may use the IP addresses to attack internal applications.	We recommend that you transform the API based on your business requirements to prevent leaks of internal network information.
	URL-based Sensitive Data Transmission	Medium	The API risk detection model detects that highly sensitive data is sent by using URLs. Unauthorized access to URLs can result in sensitive data leaks. URLs may be exposed in logs, Referers, or browser history data.	We recommend that you use the POST method to transfer sensitive data in the request body.
API Design	Request Parameter Traversability	Low	The API risk detection model detects that the format of request parameters is fixed and can be easily constructed. Attackers may exploit this vulnerability to enumerate parameter values and extract data in bulk.	We recommend that you increase the randomness of parameters based on your business requirements. This helps prevent reliance on simple, predictable values, such as short numeric values, which can be easily compromised.
	Modifiable Volume of Returned Data	Low	The API risk detection model detects that a request parameter is used to specify the number of items returned and can be modified to any value. Attackers can exploit this vulnerability to retrieve a large amount of data in a single request.	We recommend that you implement parameter value limits based on your business requirements and provide only a few optional values. This helps prevent the API from being maliciously exploited to obtain a large amount of data.
	Database Query	High	The API risk detection model detects that a request parameter contains query statements. Attackers may exploit the API to execute arbitrary database operations to attack databases or steal important data.	We recommend that you transform the API based on your business requirements to prevent database query statements from being passed. You must strictly limit the parameter content and filter out invalid characters.
	Command Execution API	High	The API risk detection model detects that a request parameter contains command execution statements. Attackers can exploit the API to execute arbitrary system commands to control servers or steal important data.	We recommend that you transform the API based on your business requirements to prevent command statements from being passed. You must strictly limit the parameter content and filter out invalid characters.
	Arbitrary Short Message Sending	Medium	The API risk detection model detects that the request parameters of the short message-sending API contain phone numbers and suspected text message content to be sent. Attackers may exploit the API to send malicious text messages to specified phone numbers.	We recommend that you transform the API based on your business requirements and use fixed templates to configure the content to be sent.
	Arbitrary Email Content Sending	Medium	The API risk detection model detects that the request parameters of the email-sending API contain email addresses and suspected email content to be sent. Attackers can exploit the API to send malicious emails to specified addresses.	We recommend that you transform the API based on your business requirements and use fixed templates to configure the content to be sent.
	Leak of Short Message Verification Code	High	The API risk detection model detects that the response parameter of the text message-sending API may contain verification codes. Attackers may use the API to obtain verification codes and bypass the text message verification mechanism.	We recommend that you transform the API based on your business requirements to prevent verification codes from being returned to the frontend. The codes must be verified at the backend.
	Email Verification Code Leak	High	The API risk detection model detects that the response parameter of the email-sending API may contain verification codes. Attackers may use the API to obtain verification codes and bypass the email verification mechanism.	We recommend that you transform the API based on your business requirements to prevent verification codes from being returned to the frontend. The codes must be verified at the backend.
	Specified File Download	Medium	The API risk detection model detects that the request parameter of the file download API contains file paths. Attackers can modify the parameter to download files and steal important data.	We recommend that you transform the API based on your business requirements to prevent direct download of files from complete file paths. You must strictly limit the parameter content and filter out invalid characters to prevent attackers from downloading arbitrary files by using the API.
	Application Exception Information Leak	Medium	The API risk detection model detects that the response of the API contains application exception information. Attackers may obtain sensitive information such as server application configurations from the returned exception information.	We recommend that you optimize the service exception handling mechanism. When an exception occurs, the specified content is returned or you are redirected to the specified page. This prevents application information leaks due to direct return of exception information.
	Database Exception Information Leak	Medium	The API risk detection model detects that the response of the API contains database exception information. Attackers may use the database exception information to obtain information such as SQL statements, database names, and table names and then launch attacks such as SQL injection.	We recommend that you optimize the service exception handling mechanism. When an exception occurs, the specified content is returned or you are redirected to the specified page. This prevents database information leaks due to direct return of exception information.
Custom	Custom risk detection rule	Custom level	The API risk detection model detects that the API triggers the custom risk detection rule.	The configurations that you specify for the policy is displayed.

What types of exception events can be detected by the API security module?

Category	Event type	Event description	Suggestion
Baseline Exception	Abnormal High-frequency Access	An API is frequently called. The request rate is higher than the daily distribution baseline of request frequencies. Malicious activities, such as API abuses and HTTP flood attacks, may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.
	Access to Internal API from Unusual IP Address	An API is called from IP addresses that deviate from the daily distribution baseline of IP addresses. Abnormal calls may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you configure an IP address whitelist based on the daily distribution baseline of IP addresses to block access from IP addresses not included in the whitelist and ensure the reasonable use of API resources.
	Access to Internal API from Unusual Location	An API is called from IP address locations that deviate from the daily distribution baseline of IP address locations. Abnormal calls may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you configure a region blacklist based on the daily distribution baseline of IP address locations to ensure the reasonable use of API resources.
	Access using Anomalous Tools	An API is accessed from clients that deviate from the daily distribution baseline of clients. Abnormal calls may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you configure access control policies based on the daily distribution baseline of clients or enable the bot management module to ensure the reasonable use of API resources.
	Access During Unusual Time Period	An API is called during an unusual time period. Abnormal calls may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses.
	Access using Abnormal Parameter Values	The format of request parameters deviates from the regular pattern. Abnormal calls or attacks may occur.	We recommend that you perform troubleshooting based on sample data and log details. You can configure an IP address blacklist to block malicious IP addresses. If web attacks are confirmed, we recommend that you use protection modules in WAF to ensure the reasonable use of API resources.
Account Risk	Weak Password-based Logon to Internal Application	The logon from the IP address to the internal application is suspected of using a weak password.	We recommend that you check whether the logon is successful based on log details. We recommend that you increase the password strength. The password must be at least 8 characters in length and contain at least 3 of the following types of characters: uppercase letters, lowercase letters, digits, and special characters. We also recommend that you notify users who have weak passwords to change their passwords at the earliest opportunity.
	Brute-force Attack Against Username	Frequent logon attempts are initiated from the same IP address. A consistent password and constantly changing usernames are used. Brute-force attacks against usernames may occur.	We recommend that you check whether the logon is successful based on log details, change the password on a regular basis, and ensure that weak passwords are not used. We also recommend that you implement CAPTCHA measures to limit the number of logon attempts or configure rate limiting policies to ensure the reasonable use of API resources.
	Brute-force Attack Against Password	Frequent logon attempts are initiated from the same IP address. A consistent username and constantly changing passwords are used. Brute-force attacks against passwords may occur.	We recommend that you check whether the logon is successful based on log details, change the password on a regular basis, and ensure that weak passwords are not used. We also recommend that you implement CAPTCHA measures to limit the number of logon attempts or configure rate limiting policies to ensure the reasonable use of API resources.
	Dictionary Attack	Frequent logon attempts are initiated from the same IP address, and a large number of accounts are used. Dictionary attacks may occur.	We recommend that you check whether the logon is successful based on log details, change the password on a regular basis, and ensure that weak passwords are not used. We also recommend that you implement CAPTCHA measures to limit the number of logon attempts or configure rate limiting policies to ensure the reasonable use of API resources.
	Brute-force Attack Against Short Message Verification Code	Frequent attempts are initiated from the same IP address to verify text message verification codes. A large number of verification codes are used. Brute-force attacks against text message verification codes may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.
	Brute-force Attack Against Email Verification Code	Frequent attempts are initiated from the same IP address to verify email verification codes, and a large number of verification codes are used. Brute-force attacks against email verification codes may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.
	Batch Registration	A large number of registration requests are sent from the same IP address. Bulk account registrations may occur, and numerous spam accounts may be generated.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.
API Abuse	Malicious Consumption of Short Message Resources	A large number of message-sending requests are sent from the same IP address. Text message resource abuse or message flooding may occur. This may result in business loss.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you limit the frequency of text messages sent from a single mobile number and configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.
	Malicious Consumption of Email Resources	A large number of email-sending requests are sent from the same IP address. Email resource abuse or mail flooding may occur. This may compromise the stability of email services.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We also recommend that you limit the frequency of emails sent from a single email address and configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.
	Batch Download	A large number of data export or download requests are sent from the IP address, and a large amount of file data is exported or downloaded. Data leaks may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies to ensure the reasonable use of API resources.
	Data Crawling	An API is frequently called from the same IP address, and parameter traversal is suspected. Data crawling may occur.	We recommend that you perform troubleshooting based on log details. You can configure an IP address blacklist to block malicious IP addresses. We recommend that you increase the randomness of parameters based on your business requirements. This helps prevent reliance on simple, predictable values, such as short numeric values, which can be easily compromised.
	API Attack	Web attacks are initiated from the IP address, and all attacks are blocked by protection modules.	We recommend that you analyze IP address behavior based on log details. You can configure an IP address blacklist to block malicious IP addresses.
Sensitive Data Leak	Unauthorized Access to Sensitive Data	An API is called from the IP address, unauthorized access is suspected, and sensitive data is retrieved. Data leak risks may arise.	We recommend that you troubleshoot issues based on log details. We also recommend that you implement a strict and complete authentication mechanism for important APIs to prevent unauthorized or privilege-escalated exploitation of the APIs.
	Mass Sensitive Data Access	When an API is called from the IP address, a large number of entries of sensitive data are retrieved. Data leak risks may arise.	We recommend that you troubleshoot issues based on log details. We also recommend that you mask important sensitive data and delete unnecessary data types. You can also configure rate limiting policies based on the daily distribution baseline of request frequencies.
	Mass Sensitive Data Access by IP Addresses Outside China	An API is called from IP addresses that originate from regions outside the Chinese mainland, and a large number of entries of sensitive data are retrieved. Data leak and compliance risks may arise.	We recommend that you troubleshoot issues based on log details. Cross-border transmission of sensitive data may pose compliance risks. If cross-border transmission of sensitive data is required, we recommend that you conduct an evaluation and promptly proceed with security assessments or filings.
Response Exception	Return of Error Message	When an API is called from the IP address, error messages may be returned and leaks of information such as application configurations may occur.	We recommend that you perform troubleshooting based on log details to check whether the API runs as expected. We also recommend that you optimize the service exception handling mechanism. When an exception occurs, the specified content is returned or you are redirected to the specified page. This prevents application information leaks due to direct return of exception information.
	Return of Database Error Message	When an API is called from the IP address, database error messages may be returned and leaks of information such as statements, database names, and table names may occur.	We recommend that you perform troubleshooting based on log details to check whether the API runs as expected. We also recommend that you optimize the service exception handling mechanism. When an exception occurs, the specified content is returned or you are redirected to the specified page. This prevents database information leaks due to direct return of exception information.
	Return of Sensitive System Information	When an API is called from the IP address, critical sensitive information about servers may be returned. Data leak risks may arise.	We recommend that you perform troubleshooting based on log details to check whether data is returned as expected. Do not allow data to be directly returned to the frontend.
	Abnormal Response	When an API is called from the IP address, the percentage of abnormal responses exceeds 80%. Origin servers may not run as expected.	We recommend that you perform troubleshooting based on log details to check whether the API runs as expected.
Custom Event	Custom event detection policy	When an API is called from the IP address, the access behavior matches the custom event detection policy.	The configurations that you specify for the policy is displayed.

How does the API security module help enterprises reduce the risk of data leaks?

The API security module detects API vulnerabilities, traces API exception events, and provides suggestions on how to handle vulnerabilities.

Risk type	Description
API vulnerabilities	Enterprises may expose internal APIs, such as APIs used for internal office work, development testing, and operations management, to the Internet. This exposure allows attackers to access and retrieve sensitive data by using the APIs.
API exception events	APIs may not function as expected in predefined business requirement and access scenarios.

What are the application criteria for security assessments and filings of cross-border data transfer? (supported only in the Chinese mainland)

The following table describes the application criteria based on the Measures for the Security Assessment of Outbound Data Transfer.

Evaluation type	Evaluation result
Since January 1 of last year, the cumulative number of natural persons whose personal information is transferred abroad is greater than 100,000.	Requirements for applying for a security assessment are met.
Since January 1 of last year, the cumulative number of natural persons whose personal sensitive information is transferred abroad is greater than 10,000.
Since January 1 of last year, cross-border data transfer activities occurred, and the cumulative number of natural persons whose personal information is transferred abroad is greater than 1,000,000.
Since January 1 of last year, the cumulative number of natural persons whose personal information is transferred abroad is less than 100,000.	Requirements for applying for a security assessment are not met.
Since January 1 of last year, the cumulative number of natural persons whose personal sensitive information is transferred abroad is less than 10,000.
Since January 1 of last year, cross-border data transfer activities occurred, and the cumulative number of natural persons whose personal information is transferred abroad is less than 1,000,000.