Advanced API Security best practices

This page applies to Apigee and Apigee hybrid.

View Apigee Edge documentation.

This page describes some best practices for working with Advanced API Security.

Preserve X-Forwarded-For request headers

The X-Forwarded-For (XFF) request header is a standard header for identifying the originating IP addresses of clients connecting to a web server through a proxy server. Many platforms provide the ability to strip off XFF headers from incoming requests for security purposes. However, this is not recommended if you are using Advanced API Security, because the machine learning algorithms it uses need the IP address information to identify abuse traffic, and to calculate security scores.

How to determine if your platform is stripping off XFF headers

To determine if your platform is stripping off XFF headers, make an API call like the following:

curl https://apigee.googleapis.com/v1/organizations/ORG/environments/ENV/stats/x_forwarded_for_ip?select=avg(total_response_time)&timeRange=9/24/2018%2000:00~10/25/2018%2000:00&timeUnit=day \
 -H "Authorization: Bearer $TOKEN"

where ORG is your organization and ENV is an environment in the organization.

If your platform is stripping off XFF headers, this returns a response in which the first line will be

 "name": "(not set)",

The (not set) in the response means your platform is stripping off XFF headers.