The OpenAPI Specification (OAS) defines a standard, language-agnostic interface to RESTful APIs, which allows both humans and computers to discover and understand the capabilities of the service without access to source code, documentation, or through network traffic inspection.
If your API interfaces are implemented using OpenAPI, you can configure an OpenAPI Validation rule, and import a validation file which defines the data structure of the OpenAPI request, such as the request URL, the parameter names in the URL, the value of the parameters (string, integer, etc.), where are parameters submitted (URL, header, body, etc.), and so on.
The validation file specifies the scope for FortiWeb Cloud to scan against. For example, if request URLs are defined in the validation file, FortiWeb Cloud applies OpenAPI Validation rule only to the requests whose URLs match with the ones defined in the validation file, and take actions if they violate the data structure. For those requests whose URLs are not defined in the validation file, FortiWeb Cloud will skip the OpenAPI Validation rule and pass the requests to be scanned against other rules.
FortiWeb Cloud only supports OpenAPI 3.0.
The figure below shows how FortiWeb Cloud supports OpenAPI.
To configure an OpenAPI Validation rule
- Go to API PROTECTION > OpenAPI Validation.
You must have already enabled this module in Add Modules. See How to add or remove a module.
- Click + Create OpenAPI Validation Rule.
- In Edit OpenAPI Validation Rule dialog, click Choose File to upload a valid OpenAPI file. Make sure the OpenAPI file doesn't contain any structural error, otherwise the OpenAPI Validation Rule will not take effect.
It is RECOMMENDED you use Swagger Editor to generate your OpenAPI file, https://swagger.io/tools/swagger-editor/.
- Click OK.
The file title, description, server URL information will be listed in the table if any automatically. You can also click to edit, delete the file, or view the file details.
You can continue creating at most 10 OpenAPI Validation rules for an application.
- Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
To configure the actions, you must first enable the Advanced Configuration in Global > Settings.
Accept the request and generate an alert email and/or log message.
Alert & Deny
Block the request (or reset the connection) and generate an alert email and/or log message.
Block the request (or reset the connection).
- Click SAVE.