Enforcing PII constraints (Beta)
To help you secure personally identifiable information (PII) in your traffic, our network inspects your API request and response payloads for values that look like PII. The network needs to know how deeply to look in your API data as well as how to respond to any PII it finds.
When PII constraint enforcement is enabled, the network doesn't trip the firewall action for any parameters containing PII that you defined as part of your API definition. If you decline the recommendation, the next time PII is found in that parameter, the firewall will trip.
What if there is a false positive?
You can exclude parameters you don't want the network to inspect for PII. You may choose to exclude parameters that contain a string of numbers that look like a credit card number but aren't actually a credit card number.
The following settings let you tell the network where in your API to look for unexpected PII.
| Enforcement options | Definition | What happens? |
|---|---|---|
| Scope | ||
| None | Do not enforce any constraints. | Lets all traffic through as if this feature is not in use. |
| API level | Inspect and enforce constraints for every resource and method in an API. | The action you set in your security policy applies. |
| Resource and method level | Inspect only specific resources per method in an API. | If triggered, the action you set in your security policy applies. |
| Parameters | ||
| Request and response | Inspect both request and response parameters for PII. | |
| Request only | Inspect only parameters in request payloads for PII. | |
| Response only | Inspect only parameters in response payloads for PII. | |
| PII types | ||
| All | Look in API payloads for all supported PII types. | |
| Specific | Designate which PII types to look for specifically. | Only email, credit card, and Social Security numbers are currently supported. |
| Action when detected | This is the action you set in your security policy. For example, Alert or Deny. | |
Updated over 1 year ago