Fortinet black logo

User Guide

Mobile API Protection

Copy Link
Copy Doc ID 2ffc9903-bcb4-11e9-8977-00505692583a:497319
Download PDF

Mobile API Protection

When a client accesses a web server from a mobile application, the Mobile API Protection module checks whether the request carries the JWT-token header and whether the token carried is valid for the following three cases:

  • The request doesn't carry the JWT-token header;
  • The request carries the JWT-token header and the token is valid;
  • The request carries the JWT-token header and the token is invalid.

Based on the token and request URL, FortiWeb Cloud takes related actions to avoid potential attacks.

  1. Go to API Protection > Mobile API Protection.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.

    Token Secret

    Enter the JWT-token secret that you get from the Approov platform.
    Refer to Approov doc for how to get the token.

    Token Header

    Indicate the header that carries the JWT-token in the request.

    Request URL

    Type the URL used to match requests, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  4. Click SAVE.

Mobile API Protection

When a client accesses a web server from a mobile application, the Mobile API Protection module checks whether the request carries the JWT-token header and whether the token carried is valid for the following three cases:

  • The request doesn't carry the JWT-token header;
  • The request carries the JWT-token header and the token is valid;
  • The request carries the JWT-token header and the token is invalid.

Based on the token and request URL, FortiWeb Cloud takes related actions to avoid potential attacks.

  1. Go to API Protection > Mobile API Protection.
    You must have already enabled this module in Add Modules. See How to add or remove a module.
  2. Configure these settings.

    Token Secret

    Enter the JWT-token secret that you get from the Approov platform.
    Refer to Approov doc for how to get the token.

    Token Header

    Indicate the header that carries the JWT-token in the request.

    Request URL

    Type the URL used to match requests, such as /upload.php, or use wildcards to match multiple URLs, such as /folder1/* or /folder1/*/index.htm. The URL must begin with a slash ( / ).

  3. Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
    To configure the actions, you must first enable the Advanced Configuration in Global > System Settings > Settings.

    Alert

    Accept the request and generate an alert email and/or log message.

    Alert & Deny

    Block the request (or reset the connection) and generate an alert email and/or log message.

    Deny(no log)

    Block the request (or reset the connection).

  4. Click SAVE.