Stats
Actions
Tags
Implements API threat protection using Google Apigee policies for JSON/XML threats, OAuth 2.0, SpikeArrest, regex protection, and Advanced API Security against OWASP Top 10 attacks.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:implementing-api-threat-protection-with-apigeeThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Google Apigee是一个企业级API管理平台,提供原生安全策略用于威胁防护,包括JSON和XML内容验证、OAuth 2.0强制执行、SpikeArrest速率限制、正则表达式威胁防护,以及用于检测恶意客户端和API滥用模式的高级API安全(Advanced API Security)。Apigee作为反向代理运行,拦截所有API流量,在请求到达后端服务前应用安全策略,有效防御OWASP API安全Top 10威胁。
Google Apigee是一个企业级API管理平台,提供原生安全策略用于威胁防护,包括JSON和XML内容验证、OAuth 2.0强制执行、SpikeArrest速率限制、正则表达式威胁防护,以及用于检测恶意客户端和API滥用模式的高级API安全(Advanced API Security)。Apigee作为反向代理运行,拦截所有API流量,在请求到达后端服务前应用安全策略,有效防御OWASP API安全Top 10威胁。
通过限制结构深度、条目数量和字符串长度,防护基于JSON的拒绝服务攻击:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JSONThreatProtection name="JSON-Threat-Protection-1">
<DisplayName>JSON Threat Protection</DisplayName>
<Source>request</Source>
<!-- JSON结构最大嵌套深度 -->
<ObjectEntryNameLength>50</ObjectEntryNameLength>
<ObjectEntryCount>25</ObjectEntryCount>
<ArrayElementCount>100</ArrayElementCount>
<ContainerDepth>5</ContainerDepth>
<StringValueLength>500</StringValueLength>
</JSONThreatProtection>
防御XML炸弹(XML Bomb)、XXE攻击和超大XML载荷:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<XMLThreatProtection name="XML-Threat-Protection-1">
<DisplayName>XML Threat Protection</DisplayName>
<Source>request</Source>
<NameLimits>
<Element>50</Element>
<Attribute>50</Attribute>
<NamespacePrefix>20</NamespacePrefix>
<ProcessingInstructionTarget>50</ProcessingInstructionTarget>
</NameLimits>
<ValueLimits>
<Text>1000</Text>
<Attribute>500</Attribute>
<NamespaceURI>256</NamespaceURI>
<Comment>256</Comment>
<ProcessingInstructionData>256</ProcessingInstructionData>
</ValueLimits>
<StructureLimits>
<NodeDepth>5</NodeDepth>
<AttributeCountPerElement>5</AttributeCountPerElement>
<NamespaceCountPerElement>3</NamespaceCountPerElement>
<ChildCount>25</ChildCount>
</StructureLimits>
</XMLThreatProtection>
检测请求参数中的SQL注入、XSS和其他注入模式:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RegularExpressionProtection name="RegEx-Threat-Protection-1">
<DisplayName>Regex Injection Protection</DisplayName>
<Source>request</Source>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<!-- SQL注入模式 -->
<QueryParam name="*">
<Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<!-- XSS模式 -->
<QueryParam name="*">
<Pattern>[\s]*<\s*script\b[^>]*>[^<]+<\s*/\s*script\s*></Pattern>
</QueryParam>
<!-- 响应头注入 -->
<Header name="*">
<Pattern>[\r\n]</Pattern>
</Header>
<!-- URI路径遍历 -->
<URIPath>
<Pattern>(/\.\.)|(\.\./)</Pattern>
</URIPath>
<!-- JSON载荷注入 -->
<JSONPayload>
<JSONPath>$.*</JSONPath>
<Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update))</Pattern>
</JSONPayload>
</RegularExpressionProtection>
防止流量峰值压垮后端服务:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SpikeArrest name="Spike-Arrest-1">
<DisplayName>API Spike Arrest</DisplayName>
<Rate>30ps</Rate> <!-- 每秒30个请求(平滑处理) -->
<Identifier ref="request.header.x-api-key"/>
<MessageWeight ref="request.header.x-request-weight"/>
<UseEffectiveCount>true</UseEffectiveCount>
</SpikeArrest>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="Verify-OAuth-Token">
<DisplayName>Verify OAuth 2.0 Access Token</DisplayName>
<Operation>VerifyAccessToken</Operation>
<ExternalAuthorization>false</ExternalAuthorization>
<ExternalAccessToken>request.header.Authorization</ExternalAccessToken>
<SupportedGrantTypes>
<GrantType>authorization_code</GrantType>
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
<Scope>read write</Scope>
<GenerateResponse enabled="true"/>
</OAuthV2>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyAPIKey name="Verify-API-Key-1">
<DisplayName>Verify API Key</DisplayName>
<APIKey ref="request.header.x-api-key"/>
</VerifyAPIKey>
<!-- apiproxy/proxies/default.xml -->
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
<PreFlow name="PreFlow">
<Request>
<!-- 步骤1:验证API密钥或OAuth令牌 -->
<Step>
<Name>Verify-OAuth-Token</Name>
</Step>
<!-- 步骤2:速率限制 -->
<Step>
<Name>Spike-Arrest-1</Name>
</Step>
<!-- 步骤3:威胁防护 -->
<Step>
<Name>JSON-Threat-Protection-1</Name>
<Condition>request.header.Content-Type = "application/json"</Condition>
</Step>
<Step>
<Name>XML-Threat-Protection-1</Name>
<Condition>request.header.Content-Type = "text/xml"</Condition>
</Step>
<!-- 步骤4:注入防护 -->
<Step>
<Name>RegEx-Threat-Protection-1</Name>
</Step>
<!-- 步骤5:CORS强制执行 -->
<Step>
<Name>CORS-Policy</Name>
</Step>
</Request>
<Response>
<!-- 从响应中移除内部头 -->
<Step>
<Name>Remove-Internal-Headers</Name>
</Step>
<!-- 添加安全响应头 -->
<Step>
<Name>Add-Security-Headers</Name>
</Step>
</Response>
</PreFlow>
<Flows>
<Flow name="sensitive-operations">
<Description>敏感端点的额外保护</Description>
<Request>
<Step>
<Name>Quota-Strict</Name>
</Step>
</Request>
<Condition>(proxy.pathsuffix MatchesPath "/admin/**") or
(proxy.pathsuffix MatchesPath "/users/*/sensitive")</Condition>
</Flow>
</Flows>
<HTTPProxyConnection>
<BasePath>/v1</BasePath>
<VirtualHost>secure</VirtualHost>
</HTTPProxyConnection>
<RouteRule name="default">
<TargetEndpoint>default</TargetEndpoint>
</RouteRule>
</ProxyEndpoint>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage name="Add-Security-Headers">
<DisplayName>Add Security Response Headers</DisplayName>
<Set>
<Headers>
<Header name="X-Content-Type-Options">nosniff</Header>
<Header name="X-Frame-Options">DENY</Header>
<Header name="Strict-Transport-Security">max-age=31536000; includeSubDomains</Header>
<Header name="Cache-Control">no-store, no-cache, must-revalidate</Header>
<Header name="Content-Security-Policy">default-src 'none'</Header>
<Header name="X-Request-ID">{messageid}</Header>
</Headers>
</Set>
<Remove>
<Headers>
<Header name="X-Powered-By"/>
<Header name="Server"/>
</Headers>
</Remove>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>
在Apigee X实例上启用高级API安全(Advanced API Security)附加组件,进行基于机器学习的威胁检测:
# 在Apigee X实例上启用高级API安全
gcloud apigee organizations update $ORG_NAME \
--advanced-api-security-config=enabled
# 查看检测到的滥用告警
gcloud apigee apis security-reports list \
--organization=$ORG_NAME \
--environment=$ENV_NAME
# 创建安全动作以封锁可疑流量
gcloud apigee security-actions create \
--organization=$ORG_NAME \
--environment=$ENV_NAME \
--action-type=DENY \
--condition-type=IP_ADDRESS \
--condition-values="192.168.1.100,10.0.0.50" \
--description="封锁已识别的恶意IP"
# 部署带安全策略的代理包
gcloud apigee apis deploy \
--api=$API_NAME \
--environment=$ENV_NAME \
--revision=$REVISION \
--organization=$ORG_NAME
# 验证部署
gcloud apigee apis list-deployments \
--api=$API_NAME \
--organization=$ORG_NAME
npx claudepluginhub killvxk/cybersecurity-skills-zhImplements API threat protection with Google Apigee policies including JSON/XML threat protection, OAuth 2.0, SpikeArrest, and Advanced API Security for OWASP Top 10 defense.
Implements API threat protection with Google Apigee policies including JSON/XML threat protection, OAuth 2.0, SpikeArrest, and Advanced API Security for OWASP Top 10 defense.
Implements API threat protection using Google Apigee policies including JSON/XML threat protection, OAuth 2.0, SpikeArrest, and Advanced API Security for OWASP Top 10 defenses. Useful for securing APIs in Apigee environments.