API Security Platform

API Security Platform

Threatstealth API Security protects REST, GraphQL, and gRPC endpoints with OWASP API Security Top 10 coverage, schema validation, abuse detection, and per-tenant rate limiting — all managed from a single console.

• OWASP API Security Top 10 coverage — protection against Broken Object Level Authorization, excessive data exposure, and injection
• API schema validation — enforce OpenAPI contract compliance and reject malformed requests at the WAF layer
• Abuse detection — credential stuffing, automated scanning, and anomalous API usage patterns
• Per-tenant rate limiting — configurable rate limits and burst allowances per organization and endpoint
• IP reputation enforcement — block-list integration with threat intelligence feeds
• API traffic analytics — endpoint usage, error rates, latency percentiles, and security events per tenant

OWASP API Security Top 10: The Most Critical API Vulnerabilities

The OWASP API Security Top 10 defines the ten most critical security risks specific to API implementations — distinct from the web application OWASP Top 10. API1 Broken Object Level Authorization (BOLA) is the most prevalent API vulnerability, occurring when an API accepts a user-supplied object ID without verifying the requesting user is authorised to access that specific object. API2 Broken Authentication covers weak token implementation, missing rate limiting on authentication endpoints, and insecure token transmission. API3 Broken Object Property Level Authorization allows attackers to modify object properties they should not have access to. Threatstealth API Security provides specific detection and prevention controls for all ten OWASP API Security categories.

• API1 BOLA — detection of object ID enumeration attacks attempting to access data belonging to other users
• API2 Broken Authentication — rate limiting on auth endpoints and token validation enforcement
• API3 Property-level authorization — detection of mass assignment attacks attempting to modify restricted properties
• API4 Unrestricted Resource Consumption — per-endpoint resource usage limiting preventing API resource exhaustion
• API8 Security Misconfiguration — automated scanning for exposed debug endpoints, verbose error messages, and insecure headers

API Schema Validation and OpenAPI Contract Enforcement

API schema validation enforces the contract defined in your OpenAPI specification at the WAF layer — rejecting any request that does not conform to the documented API contract before it reaches your application code. This provides two security benefits: it blocks requests that exploit undocumented endpoints or parameters (which are often overlooked in application-level input validation), and it creates an allow-list for valid API traffic that blocks unexpected payload structures used in injection and fuzzing attacks. Schema validation is configured by importing the OpenAPI 3.x specification for each protected API, after which the WAF enforces parameter types, required fields, allowed values, and request body schemas automatically.

• OpenAPI 3.x import — WAF schema validation configured directly from your API's OpenAPI specification file
• Parameter type enforcement — rejecting requests with incorrect parameter types, missing required fields, or unexpected values
• Request body validation — JSON and XML body schema enforcement preventing injection via malformed payload structures
• Undocumented endpoint blocking — requests to paths not defined in the OpenAPI specification rejected by default
• GraphQL query validation — depth limiting, complexity analysis, and field-level access control for GraphQL APIs

API Abuse Detection and Automated Client Behaviour Analysis

API abuse — credential stuffing, scrapers, and automated vulnerability scanners — typically has recognisable behavioural fingerprints that differ from legitimate API client usage patterns. Threatstealth API Security analyses request rates, endpoint access patterns, error rates, session diversity, and token usage patterns to identify API clients exhibiting abuse characteristics. Machine learning models trained on legitimate API traffic baselines flag statistical outliers — clients accessing unusually many distinct object IDs (BOLA enumeration), clients with very high error rates (fuzzing or broken integrations), and clients with request patterns inconsistent with any documented API use case.

• Credential stuffing detection — high-rate authentication attempts against login or token endpoints from single or rotating IPs
• Enumeration attack detection — sequential or randomised object ID access patterns indicating BOLA enumeration
• Scanner identification — request patterns consistent with known API vulnerability scanners (Burp, OWASP ZAP, Nuclei)
• Anomaly scoring — per-client behavioural scoring surfacing statistical outliers from legitimate traffic baseline models
• Challenge and block response — step-up CAPTCHA challenge for borderline cases and hard block for confirmed abuse

Per-Tenant Rate Limiting and API Traffic Analytics

API rate limiting in Threatstealth is configurable at multiple granularities — per-IP, per-authenticated-user, per-API-key, per-endpoint, and per-tenant — enabling precise traffic shaping for different API consumer types and protection against abuse at each level. Limits are defined as requests-per-second with configurable burst allowances that permit short traffic spikes from legitimate batch operations without triggering rate limit responses. API traffic analytics provide endpoint-level usage metrics, latency percentile distributions, error rate tracking, and security event counts — giving API owners both operational visibility and security intelligence in a single analytics interface.

• Per-IP rate limiting — request rate limits applied per source IP with configurable burst tolerance windows
• Per-user rate limiting — authenticated user request limits enforced via JWT or API key identity extraction
• Per-endpoint limits — different limits for high-risk endpoints (auth, payment) versus standard data endpoints
• Endpoint usage analytics — request volume, latency p50/p95/p99, and error rates per API endpoint
• Security event analytics — WAF blocks, rate limit responses, and schema validation rejections per endpoint