API governance rules enables you to create rules that block access to your APIs from abusers, add informational HTTP headers and more based on customer behavior and request parameters.
Because governance rules is driven from API usage data, you can create sophisticated rules based on user behavior such as to automatically block users who received too many 401 Unauthorized errors or stop someone from scraping an abnormally large amount of data
Accessing Governance Rules
To access API governance rules, click on Alerting & Governance and then select Security & Governance
Types of rules
A user rule is one that is applied to all users that is a member of a behavioral cohort. You can create behavioral cohorts that match any criteria and behavior such as API access patterns, customer demographics, and more.
Examples of ways to leverage user rules include:
- “Block users with many 401 unauthorized errors in last 7 days”
- “Block users who accessed over 100 items in an hour”
You can also add regex criteria so your rule only applies to specific requests.
A company rule is very similar to a user rule except it blocks an entire company. Examples of ways to leverage company rules include: If a request matches both a user and company rule, the user rule takes priority.
- “Block companies with overdue invoices”
- “Block companies who exceeded plan quotas”
Like user rules, you can also add regex criteria so your rule only applies to specific requests.
Unlike user and company rules, regex rules apply to all API requests regardless if the request was authenticated. This enables blocking or applying goverernace for specific URIs, status codes, and more. Example of regex rules include:
- “Add a
X-API-Warndeprecation header for all requests to /v1/old”
- “Block all requests to
Creating a rule
To create a new rule, select Add User Rule or Add Company Rule if you want to block specific customers based on behavior. If you want to only govern based on request info regardless of the customer behavior (such as unauthenticated requests), select regex rule.
Let’s walk through an example creating a company rule to block API access to companies with overdue invoices or cancelled subscriptions. We also want to let them know that they are blocked due to their subscription being paused.
Apply To Companies/Users
These are the saved cohorts that you want to apply the rule to.
A saved cohort is a dynamic list of users (or companies) that performed some behavior in terms of API calls and user actions. You can also match on any custom metadata you store with the profiles such as subscription or billing info. New cohort rules can be created from user lookup or company lookup panel.
By default, the rule will apply to all requests from customers in your target cohorts. You can selectively enable the rules for specific requests regex rules such as a specific URI.
Blocking vs Non-blocking
If a rule is blocking, this means Moesif will actively block the customer’s requests before getting to your upstream service. Moesif will also override the response HTTP status and body to whatever the rule is configured for.
If a rule is non-blocking, this means the request will still continue to your upstream service. Moesif will only override any HTTP response headers, but will leave the body and status code alone (passthrough).
Override Response Status
If set to blocking, this enables a way to override the response status such as an error code. In this example, we set it to
429 Payment Required
Override Response Headers
You can override any number of HTTP response headers. If the header was already set by the upstream service, Moesif will override the existing one. Otherwise, Moesif will add new headers.
Override Response Body
If set to blocking, you can override the body that will be responded to the client. This supports merge tags from the user or company profile. In our example, we add an error message explaining to the user why they are blocked. We also mentioned which plan they are on that has overdue invoices.