Back to Articles

Introducing API Security: Access Control Protection

By Daniel Cid (@danielcid) Posted in: noc-product, api-security, website-security

APIs power modern products, but they’re also prime targets for credential stuffing, token abuse, scraping, and volumetric misuse. NOC’s new API Security & Access Control brings authentication and authorization decisions to the edge — before traffic ever reaches origin — so you can protect sensitive endpoints, enforce least-privilege access, and keep latency low.

What’s Included

  • API key enforcement: Validate static keys in headers or query strings, with per-key rate limits and revocation.
  • JWT validation at the edge: Verify issuer, audience, signature (HS/RS/ES), and TTL; pass verified claims to origin via headers.
  • mTLS for service-to-service: Require client certificates for private APIs and partner integrations.
  • Allow/Deny controls: CIDR/IP allowlists, country blocks, user-agent and ASN controls.
  • Rate limiting & burst control: Global and per-identity (IP, key, sub, org) thresholds with sliding windows.
  • Schema & method enforcement: Restrict HTTP methods, paths, and payload size; optional OpenAPI-guided validation.
  • CORS & header policy: Strict control over origins, credentials, and caching of preflight.
  • Abuse & bot mitigation: Reputation feeds, TLS fingerprinting, and behavior-based challenges before origin.
  • Edge logging & analytics: High-fidelity request logs, allow/deny reasons, hit/miss, p95 latency, and policy drill-downs.

Why Edge-First API Protection

Blocking bad traffic after it hits origin wastes compute and invites lateral risk. By validating identity and intent at the edge, NOC reduces origin load, eliminates noisy logs, and gives you consistent controls across regions — critical for multi-cloud and hybrid setups.

Quick Examples

1) Require an API Key on /v1/private/* with Per-Key Limits

{
  "match": { "path": "/v1/private/*" },
  "auth":  { "type": "api_key", "in": "header", "name": "X-API-Key" },
  "limits": { "subject": "api_key", "rate": "300/m", "burst": 100 }
}

2) Validate JWT (RS256) and Pass Claims Upstream

{
  "match": { "path": "/v2/*", "methods": ["GET","POST"] },
  "auth": {
    "type": "jwt",
    "alg": "RS256",
    "jwks_url": "https://idp.example.com/.well-known/jwks.json",
    "aud": "api://example",
    "iss": "https://idp.example.com/"
  },
  "claims_to_headers": ["sub","org","scope"]
}

3) mTLS for Partner Endpoints

{
  "match": { "path": "/partner/*" },
  "mtls":  { "required": true, "ca_bundle": "noc_ca_pool" },
  "limits": { "subject": "cert.fingerprint", "rate": "120/m" }
}

Getting Started: CDN Custom Rules API

The examples above show the policy structure — but how do you actually deploy them? NOC's CDN/WAF API lets you create custom rules via simple HTTP calls. Below are practical curl examples you can adapt for your own endpoints.

Replace YOUR_API_KEY with your NOC API key and example.com with your domain. Find your API key in the NOC dashboard under Account → API.

1) Rate Limiting an API Endpoint

Prevent abuse by capping the number of requests to a sensitive endpoint. This stops brute-force attacks, credential stuffing, and scraping before traffic reaches your origin. 

# Rate limit /api/v1/login to 30 requests per IP per minute
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/add\
&website=example.com\
&rule_type=max_requests\
&rule_name=rate-limit-login\
&url=/api/v1/login\
&value=30"

rule_type=max_requests: Sets the maximum allowed requests per IP per minute to the specified URL. value: The request threshold (30 requests/minute in this example).

2) API Endpoint Protection (Bot Detection)

Enable api_protect on endpoints that handle sensitive data. This applies bot detection, TLS fingerprinting, and anomaly scoring at the edge — blocking automated abuse while letting legitimate traffic through. 

# Enable API protection on /api/v2/ endpoints
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/add\
&website=example.com\
&rule_type=api_protect\
&rule_name=protect-v2-api\
&url=/api/v2/"

rule_type=api_protect: Activates NOC's API protection system on the specified URLs, including bot detection and behavioral analysis.

3) Geo-Blocking High-Risk Regions

Reduce your attack surface by blocking traffic from countries where you have no users. This is especially useful for internal APIs and admin endpoints. 

# Block Russia, North Korea, and Iran from the admin API
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/add\
&website=example.com\
&rule_type=country_block\
&rule_name=geo-block-admin-api\
&url=/api/admin/\
&value=RU%20KP%20IR"

value: Space-separated 2-letter country codes (URL-encoded as %20). Common choices: RU (Russia), KP (North Korea), IR (Iran), CN (China). Use url=/ to apply the block site-wide.

4) Browser Verification on Login Pages

Force browser verification on sensitive pages to block automated bots and scripts. Real users pass the check transparently; bots are blocked. 

# Require browser verification on the login page
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/add\
&website=example.com\
&rule_type=browser_verify\
&rule_name=verify-login-page\
&url=/login"

5) Listing Your Custom Rules

Verify what's deployed by listing all custom rules for your site. 

# List all custom rules for example.com
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/list\
&website=example.com"

The response includes each rule's rule_name, rule_type, url, and configuration. Use the rule_name to delete rules.

6) Deleting and Updating Rules

There is no edit action — to update a rule, delete it by rule_name and re-add with the new configuration. 

# Delete a rule by name
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/delete\
&website=example.com\
&rule_name=rate-limit-login"

# Re-add with updated settings (lower threshold)
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/add\
&website=example.com\
&rule_type=max_requests\
&rule_name=rate-limit-login\
&url=/api/v1/login\
&value=20"

Combining Multiple Protections

Real-world API security is about layering defenses. You can apply multiple rules to the same endpoint — they stack, so traffic must pass all of them. Here's how to protect a payment API with three layers: 

# Layer 1: Rate limit — max 10 requests/min per IP
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/add\
&website=example.com\
&rule_type=max_requests\
&rule_name=payment-rate-limit\
&url=/api/v1/payments/\
&value=10"

# Layer 2: Bot detection via API protect
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/add\
&website=example.com\
&rule_type=api_protect\
&rule_name=payment-bot-protect\
&url=/api/v1/payments/"

# Layer 3: Geo-block high-risk countries
curl "https://my.noc.org/api?apikey=YOUR_API_KEY\
&action=cdn/customrules/add\
&website=example.com\
&rule_type=country_block\
&rule_name=payment-geo-block\
&url=/api/v1/payments/\
&value=CN%20RU%20KP%20IR%20VN%20NG"

With these three rules in place, any request to /api/v1/payments/ must:

  • Come from an allowed country (not geo-blocked)
  • Pass bot detection and behavioral analysis
  • Stay under the rate limit (10 req/min per IP)

This defense-in-depth approach means even if one layer is bypassed, the others still protect your endpoint. Use cdn/customrules/list to verify all rules are active, and check the CDN/WAF logs for block reasons and denied traffic patterns.

Common Use Cases

  • Public APIs: Stop scraping and key abuse; throttle per-consumer; enforce CORS correctly.
  • Mobile & SPA backends: Validate JWTs at the edge; forward claims to microservices via headers.
  • Partner & B2B: Lock down by mTLS and CIDR; segment per-partner quotas and analytics.
  • Internal mesh & hybrid: Use mTLS between clusters and clouds; keep control planes consistent globally.

Best Practices

  • Prefer JWT with short TTLs and audience scoping; rotate keys frequently.
  • Set per-identity limits (key, sub, org) instead of only IP-based thresholds.
  • Separate admin and write endpoints; apply stricter auth and lower limits.
  • Cap payload sizes; block unexpected methods and content types by default.
  • Monitor deny reasons and near-limit traffic to tune policies safely.

Ready to lock down your APIs without slowing them down? Get in touch and we’ll help you deploy edge policies in minutes.

NOC — Authoritative DNS, CDN & WAF

Accelerate and protect your sites with global DNS, edge caching, and an always-on web application firewall.

See Plans