wallarm/api-firewall
Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs.
1B+
API Firewall is a high-performance proxy with API request and response validation based on OpenAPI/Swagger schema. It is designed to protect REST API endpoints in cloud-native environments. API Firewall provides API hardening with the use of a positive security model allowing calls that match a predefined API specification for requests and responses, while rejecting everything else.
The key features of API Firewall are:
The product is open source, available at DockerHub and already got 1 billion (!!!) pulls. To support this project, you can star the repository.
When starting API Firewall, you should provide the OpenAPI 3.0 specification of the application to be protected with API Firewall. The started API Firewall will operate as a reverse proxy and validate whether requests and responses match the schema defined in the specification.
The traffic that does not match the schema will be logged using the STDOUT
and STDERR
Docker services or blocked (depending on the configured API Firewall operation mode). When operating in the logging mode, API Firewall also logs so-called shadow API endpoints, those that are not covered in API specification but respond to requests (except for endpoints returning the code 404
).
OpenAPI 3.0 specification is supported and should be provided as a YAML or JSON file (.yaml
, .yml
, .json
file extensions).
By allowing you to set the traffic requirements with the OpenAPI 3.0 specification, API Firewall relies on a positive security model.
API Firewall works as a reverse proxy with a built-in OpenAPI 3.0 request and response validator. It's written in Golang and using fasthttp proxy. The project is optimized for extreme performance and near-zero added latency.
To download, install, and start API Firewall on Docker, see the instructions.
You can try API Firewall by running the demo environment that deploys an example application protected with API Firewall. There are two available demo environments:
When creating API Firewall, we prioritized speed and efficiency to ensure that our customers would have the fastest APIs possible. Our latest tests demonstrate that the average time required for API Firewall to process one request is 1.339 ms which is 66% faster than Nginx:
API Firewall 0.6.2 with JSON validation
$ ab -c 200 -n 10000 -p ./large.json -T application/json http://127.0.0.1:8282/test/signup
Requests per second: 13005.81 [#/sec] (mean)
Time per request: 15.378 [ms] (mean)
Time per request: 0.077 [ms] (mean, across all concurrent requests)
NGINX 1.18.0 without JSON validation
$ ab -c 200 -n 10000 -p ./large.json -T application/json http://127.0.0.1/test/signup
Requests per second: 7887.76 [#/sec] (mean)
Time per request: 25.356 [ms] (mean)
Time per request: 0.127 [ms] (mean, across all concurrent requests)
These performance results are not the only ones we have got during API Firewall testing. Other results along with the methods used to improve API Firewall performance are described in this Wallarm's blog article.
docker pull wallarm/api-firewall