Advanced API Security best practices

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

This page describes some best practices for working with Advanced API Security.

Configure client IP resolution

If the default client IP resolution algorithm does not work for your use case, it can be customized per environment. See client IP resolution. Configuring this setting allows Advanced API Security to find and use the appropriate client IP address for each API request, and ensures consistent client IP address resolution across your environment.

In order to use client IP resolution, you'll also need to Preserve X-Forwarded-For request headers.

Preserve X-Forwarded-For request headers

The X-Forwarded-For (XFF) request header is a standard header for identifying the originating IP addresses of clients connecting to a web server through a proxy server. Many platforms provide the ability to strip off XFF headers from incoming requests for security purposes. However, this is not recommended if you are using Advanced API Security, because the machine learning algorithms it uses need the IP address information to identify abuse traffic, and to calculate security scores.

How to determine if your platform is stripping off XFF headers

To determine if your platform is stripping off XFF headers, make an API call like the following:

curl https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/stats/x_forwarded_for_ip?select=avg(total_response_time)&timeRange=9/24/2018%2000:00~10/25/2018%2000:00&timeUnit=day \
 -H "Authorization: Bearer $TOKEN"

where ORG is your organization and ENV is an environment in the organization.

If your platform is stripping off XFF headers, this returns a response in which the first line will be

 "name": "(not set)",

The (not set) in the response means your platform is stripping off XFF headers.