API traffic filtering and sensitive data masking enable your organization to maintain security and compliance while optimizing system performance and protecting sensitive information from unauthorized exposure.
API traffic filtering provides granular control over data flow through your API infrastructure by enabling you to restrict responses based on specific criteria you define. This selective processing reduces system load, improves response times, and ensures that only relevant traffic receives full security analysis. Sensitive data masking identifies data patterns in API requests that contain confidential information, then applies Format Preserving Encryption (FPE) to obscure these values while maintaining their structural integrity for analysis purposes.
Both capabilities fulfill critical business requirements including regulatory compliance for personal privacy protection, confidentiality of proprietary business data, and adherence to industry-specific data handling standards such as PCI DSS for payment information or HIPAA for healthcare data.
Component architecture and deployment options
The Cequence platform implements API traffic filtering and sensitive data masking through two primary components: Cequence Bridge and Cequence Defender. Understanding these components and their deployment patterns helps you select the appropriate architecture for your security and compliance requirements.
The Cequence Bridge component operates at your network perimeter and prevents personally identifying information (PII) from leaving your premises. Bridge deployments are particularly valuable for passive monitoring scenarios where you need comprehensive visibility without impacting existing application flows. Bridge can aggregate traffic from multiple sources and performs filtering and masking operations at the network edge, ensuring that sensitive data never leaves your controlled environment.
Inline deployments use Cequence Defender, which integrates directly into your API traffic flow. This deployment model provides real-time protection and response capabilities but does not require the Bridge component since Defender handles filtering and masking operations within your existing infrastructure.
Alternatively, you can configure applications to send traffic directly to the API edge, where the internal Cequence Sensor bridge performs masking operations after data arrives at the Cequence UAP platform. This approach simplifies deployment complexity while still providing data protection capabilities.
All deployment configurations support filtering and masking on a per-host, per-URI, and per-method basis, enabling precise control over how different endpoints and operations are processed. The Cequence UAP platform applies data masking before any further processing occurs, ensuring that sensitive information remains protected throughout the entire analysis pipeline.
Traffic filtering use cases and strategies
Organizations implement traffic filtering to address various operational and security challenges. Common use cases include reducing analysis overhead for non-critical endpoints such as health checks or static asset requests, focusing security monitoring on high-value transactions like authentication or payment processing, and complying with data residency requirements by filtering traffic based on geographic or regulatory criteria.
Performance optimization represents another significant use case, where organizations sample routine API calls while ensuring complete coverage of security-critical operations. For example, you might sample 10% of general browsing traffic while capturing 100% of login attempts, password resets, and financial transactions.
The Cequence platform processes traffic filters according to a priority hierarchy that ensures predictable behavior. Ignore and allow filters receive highest priority, followed by exclude filters, with include filters having the lowest priority. Within each priority level, the platform applies filters in the order you specify, allowing fine-tuned control over traffic processing decisions.
Sensitive data masking patterns and protection mechanisms
Sensitive data masking addresses the challenge of protecting confidential information while maintaining the analytical value of your API traffic data. The Cequence platform uses Format Preserving Encryption (FPE) to obscure sensitive values while preserving their structural characteristics, enabling security analysis without exposing actual sensitive content.
Common sensitive data patterns include Social Security numbers, credit card numbers, email addresses, phone numbers, and custom business identifiers such as account numbers or employee IDs. Healthcare organizations might define patterns for medical record numbers or patient identifiers, while financial institutions focus on account numbers, routing numbers, and transaction identifiers.
The platform evaluates data against regular expression patterns you define, providing flexibility to address industry-specific or organization-specific sensitive data requirements. For highly sensitive information such as PII, you can enable complete data masking to ensure that even encrypted values are not transmitted or stored in logs.
Configuring traffic filtering
Traffic filtering configuration occurs within the Cequence UAP platform web interface through the Traffic Management section of General settings. The configuration process enables you to create named filters that specify which traffic should be processed and how.
- Access the Cequence UAP platform and navigate to General Settings Traffic Management. The Traffic Management settings page displays existing filters and provides access to filter creation tools.
- Click +Add Traffic Filter to open the Add Traffic Filter wizard, which guides you through the configuration process.
- Provide a descriptive name and optional description for the filter to help identify its purpose and scope.
- Select an Application Tag from the dropdown menu to specify which applications or services this filter affects. Application tags enable logical grouping of related services and simplify filter management across complex environments.
- Choose the HTTP methods that this filter should evaluate. The platform defaults to ALL methods, but you can specify particular methods such as GET, POST, PUT, or DELETE to create more targeted filtering rules.
- Select a Traffic Policy that determines how matching traffic is handled:
- Sample Traffic: Processes a specified percentage of matching requests, providing performance optimization while maintaining statistical representation of your traffic patterns.
- Send All Traffic: Processes every matching request without filtering, appropriate for high-value transactions where complete coverage is essential.
- Exclude Traffic: Blocks all matching traffic from processing, useful for eliminating noise from routine operations or non-critical endpoints.
- Configure Advanced Options if you need filtering based on specific query parameters, request headers, or response headers, or proceed to the Sensitive Data Masking configuration.
- Enable and configure Sensitive Data Masking if this filter should also protect sensitive information in matching traffic.
- Review the configuration summary and save the filter to activate the new traffic processing rules.
Advanced filtering criteria
Advanced filtering options provide granular control over traffic processing by evaluating specific aspects of API calls beyond basic application tags and HTTP methods. These options enable sophisticated filtering strategies that address complex operational requirements.
Query parameter filtering evaluates URL parameters against regular expressions you specify. This capability is valuable for filtering based on user types, geographic regions, or feature flags embedded in query strings. For example, you might filter traffic based on API version parameters or user role indicators.
Request header filtering examines incoming HTTP headers, enabling filtering based on user agents, authentication tokens, content types, or custom headers your applications use. You can mark specific headers as mandatory, ensuring that requests without required headers are excluded from processing.
Response header filtering evaluates outbound headers, providing control over processing based on server responses, caching directives, or custom application headers that indicate response characteristics or sensitivity levels.
Configuring sensitive data masking patterns
Sensitive data masking relies on regular expression patterns that identify confidential information within API traffic. The Cequence platform processes these patterns before any other analysis occurs, ensuring that sensitive data receives protection throughout the entire security analysis pipeline.
- Navigate to Posture Management > Sensitive Data Expressions to access pattern management tools.
- Click Add New Pattern to create a new sensitive data detection rule.
- Provide a descriptive name and detailed description for the pattern to help other administrators understand its purpose and scope.
- Enter the regular expression that identifies the sensitive data pattern. The platform supports standard regular expression syntax, enabling complex pattern matching for various data types.
- Optionally, check the Mask Captured Data box for highly sensitive information such as PII, which ensures complete masking of matching values.
- Select the data sources that to examine for this pattern. Alternately, leave the selection blank to examine all sources including request bodies, response bodies, headers, and query parameters.
- Configure name filters to specify which fields should be included or excluded from pattern matching. Include filters limit pattern evaluation to specified fields, while exclude filters prevent evaluation of particular fields that might contain false positives.
- Save the pattern to activate sensitive data detection for matching traffic.
Managing file extensions and content types
The Cequence platform provides additional filtering capabilities based on file extensions and HTTP content types, enabling you to exclude routine file requests or focus processing on specific content categories.
File extension filtering prevents processing of static assets such as images, stylesheets, or JavaScript files that typically do not contain security-relevant information. This filtering reduces processing overhead and focuses analysis on dynamic API responses that are more likely to contain sensitive data or indicate security threats.
Content type filtering operates on HTTP Content-Type headers, enabling inclusion or exclusion of specific media types. You can configure the platform to focus on structured data formats such as JSON or XML while ignoring binary content, or exclude specific content types from particular analysis functions such as API Discovery or Compliance scanning.
Advanced content type options provide additional granularity by allowing different content type rules for different platform functions. For example, you might allow all content types for Threat Detection while excluding multimedia content from API Discovery processes.
File extension configuration
- Access General Settings > Traffic Management and select the File Extensions tab.
- Add file extensions to the Ignored File Extensions list by typing the extension and clicking Add. Common extensions to ignore include .css, .js, .png, .jpg, .gif, and .ico.
- Use the Advanced Option section to specify additional extensions to exclude from API Discovery and Compliance actions while remaining available for other security analysis functions.
- Save the configuration to apply the file extension filtering rules.
Content type configuration
- Access General Settings > Traffic Management and select the Content-Types tab.
- Select the operating mode:
- Allow Mode: Subjects only the specified content types to traffic management, excluding all others.
- Ignore Mode: Excludes the specified content types from traffic management while processing all others.
- Add content type specifications using standard MIME type format such as application/json, text/xml, or image/png.
- Configure advanced options to create different content type rules for specific platform functions such as Threat Detection, API Discovery, or Compliance scanning.
- Save the configuration to activate the content type filtering rules.
These configuration options work together to create a comprehensive traffic management strategy that balances security analysis requirements with system performance and compliance obligations. Regular review and adjustment of these settings ensures that your API protection remains effective as your applications and threat landscape evolve.