Enforcing PII constraints (Beta)

To help you secure personally identifiable information (PII) in your traffic, our network inspects your API request and response payloads for values that look like PII. The network needs to know how deeply to look in your API data as well as how to respond to any PII it finds.

When PII constraint enforcement is enabled, the network doesn't trip the firewall action for any parameters containing PII that you defined as part of your API definition. If you decline the recommendation, the next time PII is found in that parameter, the firewall will trip.

What if there is a false positive?

You can exclude parameters you don't want the network to inspect for PII. You may choose to exclude parameters that contain a string of numbers that look like a credit card number but aren't actually a credit card number.

The following settings let you tell the network where in your API to look for unexpected PII.

Enforcement optionsDefinitionWhat happens?
NoneDo not enforce any constraints.Lets all traffic through as if this feature is not in use.
API levelInspect and enforce constraints for every resource and method in an API.The action you set in your security policy applies.
Resource and method levelInspect only specific resources per method in an API.If triggered, the action you set in your security policy applies.
Request and responseInspect both request and response parameters for PII.
Request onlyInspect only parameters in request payloads for PII.
Response onlyInspect only parameters in response payloads for PII.
PII types
AllLook in API payloads for all supported PII types.
SpecificDesignate which PII types to look for specifically.Only email, credit card, and Social Security numbers are currently supported.
Action when detectedThis is the action you set in your security policy. For example, Alert or Deny.