my web dev team is bringing up concerns about the openness of our API architecture from a Security perspective. I am struggling with the spend and effort associated with implementing an API Manager. The concern is that when we go live with our e commerce platform we will have 150 API’s that are open. To control those we will need to leverage iRules on the F5.
does anyone have a position on how high our risk exposure is and if using the F5 is a feasible approach to API protection at this state.
How do you want to limit access to these APIs? By IP? Usernames? More details and we can provide a better answer.
Probably by IP's but both options are on the table.
IP based protection is easier. You can just block access to https.
IP based can be done either by specifying a source in the VIP or by applying a relatively simple iRule that references an IP datagroup. Usernames wouldn't really protect you, the more I think about it, and there are lots of iRule examples for creating "IP whitelists."