Implements API threat protection using Google Apigee policies for JSON/XML threats, OAuth 2.0, SpikeArrest, regex protection, and Advanced API Security against OWASP Top 10 attacks.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
Google Apigee是一个企业级API管理平台,提供原生安全策略用于威胁防护,包括JSON和XML内容验证、OAuth 2.0强制执行、SpikeArrest速率限制、正则表达式威胁防护,以及用于检测恶意客户端和API滥用模式的高级API安全(Advanced API Security)。Apigee作为反向代理运行,拦截所有API流量,在请求到达后端服务前应用安全策略,有效防御OWASP API安全Top 10威胁。
Implements API threat protection using Google Apigee policies including JSON/XML threat protection, OAuth 2.0, SpikeArrest, and Advanced API Security for OWASP Top 10 defenses. Useful for securing APIs in Apigee environments.
Implements API threat protection in Apigee using policies for JSON/XML validation, OAuth 2.0, SpikeArrest, regex threats, and OWASP Top 10 defenses. For securing APIs in GCP environments.
Implements security controls at API gateway layer (Kong, AWS API Gateway, Azure APIM, Apigee) including auth enforcement, rate limiting, request validation, IP whitelisting, TLS termination, threat protection. Secures microservices APIs before backend.
Share bugs, ideas, or general feedback.
Google Apigee是一个企业级API管理平台,提供原生安全策略用于威胁防护,包括JSON和XML内容验证、OAuth 2.0强制执行、SpikeArrest速率限制、正则表达式威胁防护,以及用于检测恶意客户端和API滥用模式的高级API安全(Advanced API Security)。Apigee作为反向代理运行,拦截所有API流量,在请求到达后端服务前应用安全策略,有效防御OWASP API安全Top 10威胁。
通过限制结构深度、条目数量和字符串长度,防护基于JSON的拒绝服务攻击:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JSONThreatProtection name="JSON-Threat-Protection-1">
<DisplayName>JSON Threat Protection</DisplayName>
<Source>request</Source>
<!-- JSON结构最大嵌套深度 -->
<ObjectEntryNameLength>50</ObjectEntryNameLength>
<ObjectEntryCount>25</ObjectEntryCount>
<ArrayElementCount>100</ArrayElementCount>
<ContainerDepth>5</ContainerDepth>
<StringValueLength>500</StringValueLength>
</JSONThreatProtection>
防御XML炸弹(XML Bomb)、XXE攻击和超大XML载荷:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<XMLThreatProtection name="XML-Threat-Protection-1">
<DisplayName>XML Threat Protection</DisplayName>
<Source>request</Source>
<NameLimits>
<Element>50</Element>
<Attribute>50</Attribute>
<NamespacePrefix>20</NamespacePrefix>
<ProcessingInstructionTarget>50</ProcessingInstructionTarget>
</NameLimits>
<ValueLimits>
<Text>1000</Text>
<Attribute>500</Attribute>
<NamespaceURI>256</NamespaceURI>
<Comment>256</Comment>
<ProcessingInstructionData>256</ProcessingInstructionData>
</ValueLimits>
<StructureLimits>
<NodeDepth>5</NodeDepth>
<AttributeCountPerElement>5</AttributeCountPerElement>
<NamespaceCountPerElement>3</NamespaceCountPerElement>
<ChildCount>25</ChildCount>
</StructureLimits>
</XMLThreatProtection>
检测请求参数中的SQL注入、XSS和其他注入模式:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RegularExpressionProtection name="RegEx-Threat-Protection-1">
<DisplayName>Regex Injection Protection</DisplayName>
<Source>request</Source>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<!-- SQL注入模式 -->
<QueryParam name="*">
<Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
</QueryParam>
<!-- XSS模式 -->
<QueryParam name="*">
<Pattern>[\s]*<\s*script\b[^>]*>[^<]+<\s*/\s*script\s*></Pattern>
</QueryParam>
<!-- 响应头注入 -->
<Header name="*">
<Pattern>[\r\n]</Pattern>
</Header>
<!-- URI路径遍历 -->
<URIPath>
<Pattern>(/\.\.)|(\.\./)</Pattern>
</URIPath>
<!-- JSON载荷注入 -->
<JSONPayload>
<JSONPath>$.*</JSONPath>
<Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update))</Pattern>
</JSONPayload>
</RegularExpressionProtection>
防止流量峰值压垮后端服务:
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SpikeArrest name="Spike-Arrest-1">
<DisplayName>API Spike Arrest</DisplayName>
<Rate>30ps</Rate> <!-- 每秒30个请求(平滑处理) -->
<Identifier ref="request.header.x-api-key"/>
<MessageWeight ref="request.header.x-request-weight"/>
<UseEffectiveCount>true</UseEffectiveCount>
</SpikeArrest>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="Verify-OAuth-Token">
<DisplayName>Verify OAuth 2.0 Access Token</DisplayName>
<Operation>VerifyAccessToken</Operation>
<ExternalAuthorization>false</ExternalAuthorization>
<ExternalAccessToken>request.header.Authorization</ExternalAccessToken>
<SupportedGrantTypes>
<GrantType>authorization_code</GrantType>
<GrantType>client_credentials</GrantType>
</SupportedGrantTypes>
<Scope>read write</Scope>
<GenerateResponse enabled="true"/>
</OAuthV2>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyAPIKey name="Verify-API-Key-1">
<DisplayName>Verify API Key</DisplayName>
<APIKey ref="request.header.x-api-key"/>
</VerifyAPIKey>
<!-- apiproxy/proxies/default.xml -->
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
<PreFlow name="PreFlow">
<Request>
<!-- 步骤1:验证API密钥或OAuth令牌 -->
<Step>
<Name>Verify-OAuth-Token</Name>
</Step>
<!-- 步骤2:速率限制 -->
<Step>
<Name>Spike-Arrest-1</Name>
</Step>
<!-- 步骤3:威胁防护 -->
<Step>
<Name>JSON-Threat-Protection-1</Name>
<Condition>request.header.Content-Type = "application/json"</Condition>
</Step>
<Step>
<Name>XML-Threat-Protection-1</Name>
<Condition>request.header.Content-Type = "text/xml"</Condition>
</Step>
<!-- 步骤4:注入防护 -->
<Step>
<Name>RegEx-Threat-Protection-1</Name>
</Step>
<!-- 步骤5:CORS强制执行 -->
<Step>
<Name>CORS-Policy</Name>
</Step>
</Request>
<Response>
<!-- 从响应中移除内部头 -->
<Step>
<Name>Remove-Internal-Headers</Name>
</Step>
<!-- 添加安全响应头 -->
<Step>
<Name>Add-Security-Headers</Name>
</Step>
</Response>
</PreFlow>
<Flows>
<Flow name="sensitive-operations">
<Description>敏感端点的额外保护</Description>
<Request>
<Step>
<Name>Quota-Strict</Name>
</Step>
</Request>
<Condition>(proxy.pathsuffix MatchesPath "/admin/**") or
(proxy.pathsuffix MatchesPath "/users/*/sensitive")</Condition>
</Flow>
</Flows>
<HTTPProxyConnection>
<BasePath>/v1</BasePath>
<VirtualHost>secure</VirtualHost>
</HTTPProxyConnection>
<RouteRule name="default">
<TargetEndpoint>default</TargetEndpoint>
</RouteRule>
</ProxyEndpoint>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage name="Add-Security-Headers">
<DisplayName>Add Security Response Headers</DisplayName>
<Set>
<Headers>
<Header name="X-Content-Type-Options">nosniff</Header>
<Header name="X-Frame-Options">DENY</Header>
<Header name="Strict-Transport-Security">max-age=31536000; includeSubDomains</Header>
<Header name="Cache-Control">no-store, no-cache, must-revalidate</Header>
<Header name="Content-Security-Policy">default-src 'none'</Header>
<Header name="X-Request-ID">{messageid}</Header>
</Headers>
</Set>
<Remove>
<Headers>
<Header name="X-Powered-By"/>
<Header name="Server"/>
</Headers>
</Remove>
<IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
<AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>
在Apigee X实例上启用高级API安全(Advanced API Security)附加组件,进行基于机器学习的威胁检测:
# 在Apigee X实例上启用高级API安全
gcloud apigee organizations update $ORG_NAME \
--advanced-api-security-config=enabled
# 查看检测到的滥用告警
gcloud apigee apis security-reports list \
--organization=$ORG_NAME \
--environment=$ENV_NAME
# 创建安全动作以封锁可疑流量
gcloud apigee security-actions create \
--organization=$ORG_NAME \
--environment=$ENV_NAME \
--action-type=DENY \
--condition-type=IP_ADDRESS \
--condition-values="192.168.1.100,10.0.0.50" \
--description="封锁已识别的恶意IP"
# 部署带安全策略的代理包
gcloud apigee apis deploy \
--api=$API_NAME \
--environment=$ENV_NAME \
--revision=$REVISION \
--organization=$ORG_NAME
# 验证部署
gcloud apigee apis list-deployments \
--api=$API_NAME \
--organization=$ORG_NAME