The Cequence Unified API Protection (UAP) platform provides options for API traffic filtering and sensitive data masking. With traffic filtering, you can control data flow through your API to restrict responses by the criteria you specify. Sensitive data masking identifies data patterns in API requests that you define as sensitive, then applies Format Preservice Encryption (FPE) to obscure the values. Typically sensitive data masking fulfills business confidentiality or personal privacy compliance requirements.
API traffic filtering and sensitive data masking are provided in the Cequence Bridge and Defender components. Using either capability requires you to install one of the providing components. Data masking is applied before any further processing in the UAP.
Deployment Considerations
You can achieve traffic filtering and data masking in different ways depending on your particular use case. The Cequence Bridge component prevents personally identifying information (PII) from leaving your premises and is typically used with passive deployments. Inline deployments where a Cequence Defender is present do not require the Bridge. Bridge can act as an aggregator for multiple sources, and performs the filtering and masking operations at the network edge, before any data leaves your environment.
You can also send traffic directly to the API edge. In this deployment style, the internal Cequence Sensor bridge performs masking after the data arrives at the Cequence UAP platform.
Either configuration can perform filtering and masking on a per-host, per-URI, per-method basis, enabling you to configure filtering or masking behavior for specific endpoints.
Configuring traffic filtering
Traffic filtering settings are available in the Cequence UAP platform web UI, in the Traffic Management section of the General settings. Ignore and allow filters have highest priority, followed by Exclude filters. Include filters have the lowest priority. The Cequence UAP platform applies filters in order within a given priority type. You can modify the order at any time.
- Log in to the Cequence UAP platform.
The Home page appears. - In the left navigation bar, click General Settings > Traffic Management.
The Traffic Management settings page appears. When no filters are defined, the Include Traffic section of the page is open to display the default traffic filter, which cannot be edited or disabled. - Click +Add Traffic Filter.
The Add Traffic Filter wizard opens at the Traffic Filters step. - In Name, type a name for the filter.
- Optionally, in Description, type a description for the filter.
- From the Application Tag drop-down, select a tag.
- Optionally, click +Create Application Tag to create a new application tag directly from the drop-down.
- From the Method drop-down, select a method to add to the list of methods.
ALL is selected by default. - From the Traffic Policy dropdown, choose a policy.
Select Sample Traffic and enter an integer in the % of total requests field to sample the specified percentage of requests. For most use cases, this is the most performant option.
Select Send All Traffic to filter no traffic from the specified application tag and methods. Use this option for specific types of transactions where every occurrence is important, such as login or checkout transactions.
Select Exclude Traffic to block all traffic from the specified application tag and methods. - Optionally, open Advanced Options and enter specific configuration for query parameters, request headers, or response headers, or click Next. This article discusses advanced option configuration in a separate section.
The wizard advances to the Sensitive Data Masking step. - Optionally, to enable Sensitive Data Masking, enable the toggle.
This article discusses specifying sensitive data patterns in a separate section. - Click Next.
The wizard advances to the Summary page. - Optionally, review the summary, then click Save.
The traffic filter is now ready.
Configuring advanced filtering options
The Cequence UAP platform can provide traffic management based on specified aspects of the API call.
- Create a traffic filter as discussed earlier in this article, then open Advanced Options.
- Enable the toggles for the aspects to configure.
The available toggles are Query Params, Request Headers, and Response Headers. - Optionally, configure query parameters by enabling the Query Params toggle, then specify a set of parameters and expressions.
- When configuring query parameters, type the name of the parameter and a regular expression to match against that parameter.
- When configuring query parameters, add a set of parameters and expressions by clicking +.
- Optionally, configure request headers by enabling the Request Headers toggle, then specify a set of header names and header expressions.
- When configuring request headers, type the name of the header and a regular expression to match against that header, then enable the Mandatory toggle when the header is mandatory.
- When configuring request headers, add a set of headers and expressions by clicking +.
- Optionally, configure response headers by enabling the Response Headers toggle, then specify a set of header names and header expressions.
- When configuring response headers, type the name of the header and a regular expression to match against that header, then enable the Mandatory toggle when the header is mandatory.
- When configuring response headers, add a set of headers and expressions by clicking +.
Specifying sensitive data expressions
Data that matches the patterns you define in this section is masked before transmission to the Cequence UAP platform for analysis.
- Log in to the Cequence UAP platform.
The Home page appears. - In the left navigation bar, click General Settings > Sensitive Data Expressions.
The Sensitive Data Expressions settings page appears with the RegEx Patterns tab selected. - Click Add New Pattern.
The Add New Expression dialog box appears. - In Name, type a name for the expression.
- In Description, type a description for the pattern.
- In Regex Pattern, type the regular expression that evaluates data for the pattern.
- Optionally, check Mask Captured Data.
Check this box for highly sensitive data such as Personally Identifying Information (PII). - From the Sources drop-down, select a set of sources to examine for sensitive data.
To examine all sources, leave all selections blank. - In the Name Filters section, make a selection.
Include Fields examines the specified fields for sensitive data.
Exclude Fields does not examine the specified fields for sensitive data. - In the Name Filters section, type the name of a field.
To add another field, click +. - Click Save.
The sensitive data expressions are now complete.
Specifying file extensions to ignore
The Cequence UAP platform can ignore files that end in an extension that you specify.
- Log in to the Cequence UAP platform.
The Home page appears. - In the left navigation bar, click General Settings > Traffic Management.
- Select the File Extensions tab.
The File Extensions page appears. - In Ignored File Extensions, type a file extension and click Add.
The extension appears in the list of ignored extensions. To remove an extenson from the list, click the x next to the extension. - Optionally, to exclude an extension only from API Discovery and Compliance actions, open the Advanced Option section.
- In Additional file extensions to exclude, type the extension to exclude from API Discovery and Compliance actions, then click Add.
- In the upper right corner, click Save.
The Cequence UAP platform ignores the specified file extensions.
Allowing and ignoring content types
You can specify Content-Type tags to include or ignore from Cequence UAP traffic managment. Content tags are part of the HTTP header that describe the content and are typically of the form <category>/<item>, as in the examples application/json or image/webp.
- Log in to the Cequence UAP platform.
The Home page appears. - In the left navigation bar, click General Settings > Traffic Management.
- Select the Content-Types tab.
The Content-Types page appears. - Choose a mode.
Allow Mode subjects the specified content types to traffic management.
Ignore Mode does not apply traffic management to the specified content types. - Optionally when in Ignore Mode, select Ignore response with missing Content-type to treat content with no listed content-type as an ignored type.
- Type a content-type tag and click Add.
The tag appears in the Allow or Ignore Mode list, depending on the mode selected. - Optionally, open the Advanced Option section.
In Allow Mode, the advanced option enables you to specify content types to allow for Threat Detection actions only.
In Ignore Mode, the advanced option enables you to specify content types to exclude from API Discovery and Compliance actions only - When specifying content types for the advanced option, type a content-type tag and click Add.
- In the upper right corner, click Save.
The content types are allowed or ignored, as specified.