Submenu – API Security
API Security
+ button
Airlock Gateway can automatically validate API requests and responses against formal API specifications.
Use the + button to upload your API specifications.
  • API validation requires a license for the API Gateway feature.
  • After uploading the API specification:
  • Configure and enable Enforce API validation for a mapping on the mapping detail page, Tab – API Security.

Feature scope

The OpenAPI filter supports the validation of parameters (path, query, header, cookie). All data types and their constraints such as enum, pattern, format, value ranges and length ranges, are supported. Body content checks are only applied to JSON documents and binary data.

  • Requests not compliant with the specification are blocked and reported in the log using log_id WR-SG-BLOCK-115-00.
  • OpenAPI features currently not supported are reported in the log upon configuration loading using a log message with log_id SY-SG-CONF-115-01.

The following OpenAPI features are currently not supported:

  • Content-Types other than JSON
  • Multipart requests
  • Callbacks

API specification format must be in OpenAPI version 3.0 as JSON.

Specifications in other formats or versions, e.g., Swagger 2.0, must be converted prior to uploading. For Swagger to OpenAPI conversions, we recommend the Mermade converter, which is also available as a command-line tool.

Log messages

The following log messages are written by the OpenAPI filter during request handling:

  • WR-SG-BLOCK-115-00: Noncompliant API usage
    • constraint: provides detailed information on the violated constraint.
    • position: denotes the position in the validated request document/parameter where a constraint was violated
  • WR-SG-REJECT-115: OpenAPI configuration is invalid
    • The configuration could not be loaded correctly. See CONF-115 entries in the log messages for investigation and error analysis.

The following log messages are written by the OpenAPI configuration loader:

  • SY-SG-CONF-115-00: Config Loader: Error parsing OpenAPI specification
    • file: filename of the document where the error occurred
    • position: denotes the position in the specification where the error was found
  • SY-SG-CONF-115-01: Config Loader: Unsupported OpenAPI feature
    • file: filename of the document where the error occurred
    • position: denotes the position in the specification where the error was found
  • SY-SG-CONF-115-02: Config Loader: Config Loader: Error compiling pattern for OpenAPI string format
  • SY-SG-CONF-115-03: Config Loader: Config Loader: Error compiling pattern for OpenAPI Content-Type matching

Security gate expert settings

Certain aspects of the OpenAPI validation are controlled by expert settings:

Expert Setting Key
Description
OpenApi.StringFormat.*
Patterns for custom value formats referenced by name in specifications.
OpenApi.Authentication.*
Whitelisted parameters for OAuth2 and OpenID Connect security schemes.
OpenApi.Check.Response
Enable or disable response check (default "false").
OpenApi.ContentType.*
List of Content-Type patterns.
Request.Json.Limits.*
Thresholds for preventing DoS attacks against the JSON parser.