When a client accesses a web server from a mobile application, the Mobile API Protection module checks whether the request carries the JWT-token header and whether the token carried is valid for the following three cases:
- The request doesn't carry the JWT-token header;
- The request carries the JWT-token header and the token is valid;
- The request carries the JWT-token header and the token is invalid.
Based on the token and request URL, FortiWeb Cloud takes related actions to avoid potential attacks.
- Go to API Protection > Mobile API Protection.
You must have already enabled this module in Add Modules. See How to add or remove a module.
- Configure these settings.
Enter the JWT-token secret that you get from the Approov platform.
Refer to Approov doc for how to get the token.
Indicate the header that carries the JWT-token in the request.
Type the URL used to match requests, such as
/upload.php, or use wildcards to match multiple URLs, such as
/folder1/*/index.htm. The URL must begin with a slash ( / ).
- Select the action that FortiWeb Cloud takes when it detects a violation of the rule from the top right corner.
To configure the actions, you must first enable the Advanced Configuration in Global > Settings.
Accept the request and generate an alert email and/or log message.
Alert & Deny
Block the request (or reset the connection) and generate an alert email and/or log message.
Block the request (or reset the connection).
- Click SAVE.