No SpikeArrest policy is applied

Severity
Medium
Applies to
Proxy
Links
CWE-770

Why This Issue Is Important

In an Apigee proxy, the SpikeArrest policy is critical for protecting your API from Denial-of-Service (DoS) attacks. DoS attacks are characterized by a high volume of requests sent to an API, potentially overwhelming the system and making it unavailable to legitimate users. The SpikeArrest policy limits the number of requests that can be processed by the API in a given period, thus mitigating the risk of such attacks.

Without the SpikeArrest policy, your API is vulnerable to automated or malicious traffic that could disrupt its normal operation, leading to unreliable system behavior and potential service outages.

How This Issue Is Detected

CodeSent scans the PreFlow configuration of the endpoint to identify the steps and policies applied during the request phase. The tool checks if a SpikeArrest policy is configured in the PreFlow's request steps. If no SpikeArrest policy is found, CodeSent flags this as a potential security risk.

How to Fix the Issue

To fix this issue, you should apply a SpikeArrest policy in the PreFlow of your API proxy. This will help limit the rate of incoming requests and protect your API from being overwhelmed by excessive traffic.

If your PreFlow currently does not have a SpikeArrest policy, you can add it like this:

<PreFlow name="PreFlow">
    <Request>
        <Step>
            <Name>SpikeArrest</Name>
        </Step>
        ...
    </Request>
    <Response/>
</PreFlow>

...

<SpikeArrest name="SpikeArrest">
    <Rate>30ps</Rate> <!-- Allow 30 requests per second -->
    <Identifier ref="flow_variable"/>
</SpikeArrest>