Hello! APIs are the backbone of modern applications, enabling services to communicate and share data. However, every endpoint represents a potential attack surface that can expose sensitive information if left unmonitored. We are here to help you identify these risks and implement effective mitigation strategies to harden your environment.

Prerequisites

• An active Astra Dashboard account.

• Your API assets added as Targets (refer to our guide on Setting up an API target).

• (Recommended) Astra Traffic Collector installed to discover undocumented endpoints in real-time.

Instructions

1. Manage Decommissioned and Inactive APIs (Zombie & Orphan)

Zombie APIs are deprecated endpoints that remain accessible, while Orphan APIs are live endpoints no longer tied to an active service.

• Audit Your Inventory: Continuously scan for APIs that are not being used and maintain an authoritative API catalog.

• Establish a Deprecation Process: Communicate notices to clients in advance and provide clear migration paths (e.g., v1 → v2).

• Disable Access: Block requests to retired APIs by returning 410 Gone or 404 Not Found.

• Assign Ownership: Ensure every API has a responsible owner to manage its entire lifecycle from creation to decommissioning.

2. Eliminate Blind Spots (Shadow APIs)

Shadow APIs are undocumented or unapproved endpoints deployed outside the visibility of your security team.

• Automated Discovery: Use Astra's API discovery and scanning tools to detect undocumented endpoints.

• Enforce Governance: Require formal approval workflows for all new API deployments.

• Mandatory Documentation: Make OpenAPI/Swagger documentation a strict prerequisite for any deployment.

3. Protect Personally Identifiable Information (PII)

Leaking PII can lead to heavy regulatory penalties (GDPR, HIPAA, CCPA) and reputational damage.

• Identify Sensitive Endpoints: Use the dashboard to detect which endpoints return or process sensitive fields.

• Redact or Mask Data: Do not expose unnecessary fields in responses (e.g., John Doe → J*** D***).

• Enforce Strong Security: Apply TLS for data in transit, use strong encryption at rest, and protect endpoints with OAuth 2.0, JWT, or API keys.

4. Implement Rate Limiting

Without limits, attackers can abuse endpoints with brute-force or Denial-of-Service (DoS) attacks.

• Enforce Request Limits: Set a maximum threshold (e.g., 100 requests/minute per user).

• Use Proper Status Codes: Respond with 429 Too Many Requests when limits are exceeded.

• Monitor Usage: Track anomalies in your access logs to identify and block potential abuse.

Expected Outcome

By applying these strategies, you will significantly reduce your API attack surface and ensure that all live endpoints are governed, documented, and secured against common exploits. You can monitor your progress and updated Risk Scores directly on your API Endpoints page.

Best Practices & Tips

• Visibility First: You cannot secure what you don’t know exists; always prioritize full inventory discovery.

• Scan Behind Login: Configure your scanner to authenticate as different users to uncover vulnerabilities in restricted areas.

• Automate Testing: Manual tracking cannot keep up with dynamic environments; integrate Astra scans into your CI/CD pipeline for continuous protection.

• Prioritize by Risk: Use Astra's Risk Scoring (0–10 scale) to focus your remediation efforts on business-critical endpoints first.

Troubleshooting & Support

• Undocumented APIs not appearing: Ensure your Traffic Collector is properly reachable and that your Scope URI includes all relevant hostnames.

• Scanner blocked by Rate Limiting: If our scanner is being blocked during testing, consider whitelisting our Static IPs or adjusting the Scan Speed in your target settings.

• Further Assistance: If you need help tailoring these strategies to your infrastructure, please raise a support ticket via the dashboard widget.