{"id":13612910,"url":"https://github.com/wallarm/api-firewall","last_synced_at":"2025-05-14T10:12:38.892Z","repository":{"id":38413764,"uuid":"367224341","full_name":"wallarm/api-firewall","owner":"wallarm","description":"Fast and light-weight API proxy firewall for request and response validation by OpenAPI specs. ","archived":false,"fork":false,"pushed_at":"2025-04-01T11:11:58.000Z","size":1574,"stargazers_count":606,"open_issues_count":5,"forks_count":58,"subscribers_count":24,"default_branch":"main","last_synced_at":"2025-04-03T20:48:02.029Z","etag":null,"topics":["api","api-firewall","api-gateway","api-security","api-waf","api-wrapper","apigateway","firewall","openapi","openapi-security","openapi-spec","openapi-specification","proxy","rest-security","security","security-tools","swagger","waf","web-application-firewall","web-application-security"],"latest_commit_sha":null,"homepage":"https://wallarm.github.io/api-firewall/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/wallarm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-05-14T02:08:36.000Z","updated_at":"2025-04-01T04:58:54.000Z","dependencies_parsed_at":"2024-01-07T18:09:36.906Z","dependency_job_id":"f7d76109-6444-4006-9845-2dcc7b453a7f","html_url":"https://github.com/wallarm/api-firewall","commit_stats":{"total_commits":180,"total_committers":15,"mean_commits":12.0,"dds":0.6833333333333333,"last_synced_commit":"07225c8a1a354f72d4200c5187cf950d3600eafc"},"previous_names":[],"tags_count":29,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wallarm%2Fapi-firewall","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wallarm%2Fapi-firewall/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wallarm%2Fapi-firewall/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/wallarm%2Fapi-firewall/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/wallarm","download_url":"https://codeload.github.com/wallarm/api-firewall/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248338385,"owners_count":21087207,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["api","api-firewall","api-gateway","api-security","api-waf","api-wrapper","apigateway","firewall","openapi","openapi-security","openapi-spec","openapi-specification","proxy","rest-security","security","security-tools","swagger","waf","web-application-firewall","web-application-security"],"created_at":"2024-08-01T20:00:36.365Z","updated_at":"2025-04-11T03:38:23.565Z","avatar_url":"https://github.com/wallarm.png","language":"Go","readme":"# Open Source API Firewall by Wallarm [![Black Hat Arsenal USA 2022](https://github.com/wallarm/api-firewall/blob/main/images/BHA2022.svg?raw=true)](https://www.blackhat.com/us-22/arsenal/schedule/index.html#open-source-api-firewall-new-features--functionalities-28038)\n\nAPI Firewall is a high-performance proxy with API request and response validation based on [OpenAPI](https://wallarm.github.io/api-firewall/installation-guides/docker-container/) and [GraphQL](https://wallarm.github.io/api-firewall/installation-guides/graphql/docker-container/) schemas. It is designed to protect REST and GraphQL API endpoints in cloud-native environments. API Firewall provides API hardening with the use of a positive security model allowing calls that match a predefined API specification for requests and responses, while rejecting everything else.\n\nThe **key features** of API Firewall are:\n\n* Secure REST and GraphQL API endpoints by blocking malicious requests\n* Stop API data breaches by blocking malformed API responses\n* Discover Shadow API endpoints\n* Validate JWT access tokens for OAuth 2.0 protocol-based authentication\n* Denylist compromised API tokens, keys, and Cookies\n* AllowIPList - Restrict access to endpoints by defining a list of allowed IP addresses\n* Wide Range Attacks Protection: The API Firewall supports ModSecurity Rules and OWASP ModSecurity Core Rule Set\n\nThe product is **open source**, available at DockerHub and already got 1 billion (!!!) pulls. To support this project, you can star the [repository](https://hub.docker.com/r/wallarm/api-firewall).\n\n## Operating modes\n\nWallarm API Firewall offers several operating modes:\n\n* [`PROXY`](https://wallarm.github.io/api-firewall/installation-guides/docker-container/): validates HTTP requests and responses against OpenAPI 3.0 and proxies matching requests to the backend.\n* [`API`](https://wallarm.github.io/api-firewall/installation-guides/api-mode/): validates individual requests against OpenAPI 3.0 without further proxying.\n* [`graphql`](https://wallarm.github.io/api-firewall/installation-guides/graphql/docker-container/): validates HTTP and WebSocket requests against GraphQL schema and proxies matching requests to the backend.\n\n## Use cases\n\n### Running in blocking mode\n\n* Block malicious requests that do not match the specification\n* Block malformed API responses to stop data breaches and sensitive information exposure\n\n### Running in monitoring mode\n\n* Discover Shadow APIs and undocumented API endpoints\n* Log malformed requests and responses that do not match the specification\n\n## API schema validation and positive security model\n\nWhen starting API Firewall, you should provide the REST or GraphQL API specification of the application to be protected with API Firewall. The started API Firewall will operate as a reverse proxy and validate whether requests and responses match the schema defined in the specification.\n\nThe traffic that does not match the schema will be logged using the [`STDOUT` and `STDERR` Docker services](https://docs.docker.com/config/containers/logging/) or blocked (depending on the configured API Firewall operation mode). When operating in the logging mode on REST API, API Firewall also logs so-called shadow API endpoints, those that are not covered in API specification but respond to requests (except for endpoints returning the code `404`).\n\n![API Firewall scheme](https://github.com/wallarm/api-firewall/blob/main/images/Firewall%20opensource%20-%20vertical.gif?raw=true)\n\nBy allowing you to set the traffic requirements with the API specification, API Firewall relies on a positive security model.\n\n## Technical data\n\n[API Firewall works](https://www.wallarm.com/what/the-concept-of-a-firewall) as a reverse proxy with a built-in OpenAPI 3.0 or GraphQL request and response validator. It is written in Golang and using fasthttp proxy. The project is optimized for extreme performance and near-zero added latency.\n\nDuring the processing of incoming requests, the API Firewall recognizes a range of `Content-Type` header values, including:\n\n* `application/json`\n* `application/xml`\n* `application/octet-stream`\n* `application/x-www-form-urlencoded`\n* `application/x-yaml`\n* `application/yaml`\n* `application/zip`\n* `multipart/form-data`\n* `text/csv`\n* `text/plain`\n* `+json` structured syntax suffixes\n* `+xml` structured syntax suffixes\n* `+yaml` structured syntax suffixes\n* `+csv` structured syntax suffixes\n\n## Starting API Firewall\n\nTo download, install, and start API Firewall on Docker, refer to:\n\n* [REST API guide](https://wallarm.github.io/api-firewall/installation-guides/docker-container/)\n* [GraphQL API guide](https://wallarm.github.io/api-firewall/installation-guides/graphql/docker-container/)\n\n## Demos\n\nYou can try API Firewall by running the demo environment that deploys an example application protected with API Firewall. There are two available demo environments:\n\n* [API Firewall demo with Docker Compose](https://github.com/wallarm/api-firewall/tree/main/demo/docker-compose)\n* [API Firewall demo with Kubernetes](https://github.com/wallarm/api-firewall/tree/main/demo/kubernetes)\n\n## Wallarm's blog articles related to API Firewall\n\n* [Discovering Shadow APIs with API Firewall](https://lab.wallarm.com/discovering-shadow-apis-with-a-api-firewall/)\n* [Wallarm API Firewall outperforms NGINX in a production environment](https://lab.wallarm.com/wallarm-api-firewall-outperforms-nginx-in-a-production-environment/)\n* [Securing REST APIs for free with OSS APIFW](https://lab.wallarm.com/securing-rest-with-free-api-firewall-how-to-guide/)\n\n## Performance\n\nWhen creating API Firewall, we prioritized speed and efficiency to ensure that our customers would have the fastest APIs possible. Our latest tests demonstrate that the average time required for API Firewall to process one request is 1.339 ms which is 66% faster than Nginx:\n\n```\nAPI Firewall 0.6.2 with JSON validation\n\n$ ab -c 200 -n 10000 -p ./large.json -T application/json http://127.0.0.1:8282/test/signup\n\nRequests per second:    13005.81 [#/sec] (mean)\nTime per request:       15.378 [ms] (mean)\nTime per request:       0.077 [ms] (mean, across all concurrent requests)\n\nNGINX 1.18.0 without JSON validation\n\n$ ab -c 200 -n 10000 -p ./large.json -T application/json http://127.0.0.1/test/signup\n\nRequests per second:    7887.76 [#/sec] (mean)\nTime per request:       25.356 [ms] (mean)\nTime per request:       0.127 [ms] (mean, across all concurrent requests)\n```\n\nThese performance results are not the only ones we have got during API Firewall testing. Other results along with the methods used to improve API Firewall performance are described in this [Wallarm's blog article](https://lab.wallarm.com/wallarm-api-firewall-outperforms-nginx-in-a-production-environment/).\n","funding_links":[],"categories":["Smarty","Firewalls"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwallarm%2Fapi-firewall","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fwallarm%2Fapi-firewall","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fwallarm%2Fapi-firewall/lists"}