Wallarm API Firewall is an open-source light-weighted proxy designed to protect REST API endpoints in cloud-native environments by hardening based on a strict OpenAPI/Swagger schema validation. Wallarm API Firewall relies on a positive security model allowing calls that match a predefined API specification for requests and responses, while rejecting everything else.
The key features of API Firewall are:
- Protect REST API endpoints by blocking requests and responses that do not match the OAS/Swagger schema
- Discover Shadow API endpoints
- If using OAuth 2.0 protocol-based authentication, validate access tokens
- Quick and easy deployment and configuration
- Customization of request and response processing modes, response codes and log format
The product is open source, available at DockerHub and already got 1 billion (!!!) pulls. To support this project, you can star the repository.
- Block abnormal requests and responses that do not match the OpenAPI 3.0 specification (if running API Firewall in the blocking mode)
- Discover Shadow APIs and undocumented endpoints (if running API Firewall in the logging mode)
- Log abnormal requests and responses that do not match the OpenAPI 3.0 specification (if running API Firewall in the logging mode)
When starting API Firewall, you should provide the OpenAPI 3.0 specification of the application to be protected with API Firewall. The started API Firewall will operate as a reverse proxy and validate whether requests and responses match the schema defined in the specification.
The traffic that does not match the schema will be logged using the STDOUT and STDERR Docker services or blocked (depending on the configured API Firewall operation mode). If operating in the logging mode and detecting the traffic on endpoints that are not included in the specification, API Firewall also logs these endpoints as the shadow ones (except for endpoints returning the code 404).
Provided API schema should be described using the OpenAPI 3.0 specification in the YAML or JSON file (.yaml, .yml, .json file extensions).
By allowing you to set the traffic requirements with the OpenAPI 3.0 specification, Wallarm API Firewall relies on a positive security model.
API Firewall works as a reverse proxy with a built-in OpenAPI 3.0 request and response validator. The validator is written in Go and optimized for extreme performance and near-zero added latency.
To download, install, and start Wallarm API Firewall on Docker, see the instructions.
You can try API Firewall by running the demo environment that deploys an example application protected with Wallarm API Firewall. There are two available demo environments:
- Discovering Shadow APIs with API Firewall
- Wallarm API Firewall outperforms NGINX in a production environment
When creating API Firewall, we prioritized speed and efficiency to ensure that our customers would have the fastest APIs possible. Our latest tests demonstrate that the average time required for API Firewall to process one request is 1.339 ms:
$ ab -c 200 -n 10000 -p ./large.json -T application/json http://127.0.0.1:8282/test/signup
Document Path: /test/signup
Document Length: 20 bytes
Concurrency Level: 200
Time taken for tests: 0.769 seconds
Complete requests: 10000
Failed requests: 0
Total transferred: 2150000 bytes
Total body sent: 283770000
HTML transferred: 200000 bytes
Requests per second: 13005.81 [#/sec] (mean)
Time per request: 15.378 [ms] (mean)
Time per request: 0.077 [ms] (mean, across all concurrent requests)
Transfer rate: 2730.71 [Kbytes/sec] received
360415.95 kb/s sent
363146.67 kb/s total
Connection Times (ms)
min mean[+/-sd] median max
Connect: 0 5 1.6 5 12
Processing: 2 10 5.4 9 59
Waiting: 2 8 5.2 7 56
Total: 3 15 5.7 14 68
Percentage of the requests served within a certain time (ms)
50% 14
66% 15
75% 16
80% 17
90% 18
95% 23
98% 36
99% 44
100% 68 (longest request)
These performance results are not the only ones we have got during API Firewall testing. Other results along with the methods used to improve API Firewall performance are described in this Wallarm's blog article.