implementing-api-threat-protection-with-apigee

使用Google Apigee策略实施API威胁防护,包括JSON/XML威胁防护、OAuth 2.0、SpikeArrest和高级API安全(Advanced API Security),防御OWASP Top 10攻击。

9 stars

Best use case

implementing-api-threat-protection-with-apigee is best used when you need a repeatable AI agent workflow instead of a one-off prompt.

使用Google Apigee策略实施API威胁防护,包括JSON/XML威胁防护、OAuth 2.0、SpikeArrest和高级API安全(Advanced API Security),防御OWASP Top 10攻击。

Teams using implementing-api-threat-protection-with-apigee should expect a more consistent output, faster repeated execution, less prompt rewriting.

When to use this skill

  • You want a reusable workflow that can be run more than once with consistent structure.

When not to use this skill

  • You only need a quick one-off answer and do not need a reusable workflow.
  • You cannot install or maintain the underlying files, dependencies, or repository context.

Installation

Claude Code / Cursor / Codex

$curl -o ~/.claude/skills/implementing-api-threat-protection-with-apigee/SKILL.md --create-dirs "https://raw.githubusercontent.com/killvxk/cybersecurity-skills-zh/main/skills/implementing-api-threat-protection-with-apigee/SKILL.md"

Manual Installation

  1. Download SKILL.md from GitHub
  2. Place it in .claude/skills/implementing-api-threat-protection-with-apigee/SKILL.md inside your project
  3. Restart your AI agent — it will auto-discover the skill

How implementing-api-threat-protection-with-apigee Compares

Feature / Agentimplementing-api-threat-protection-with-apigeeStandard Approach
Platform SupportNot specifiedLimited / Varies
Context Awareness High Baseline
Installation ComplexityUnknownN/A

Frequently Asked Questions

What does this skill do?

使用Google Apigee策略实施API威胁防护,包括JSON/XML威胁防护、OAuth 2.0、SpikeArrest和高级API安全(Advanced API Security),防御OWASP Top 10攻击。

Where can I find the source code?

You can find the source code on GitHub using the link provided at the top of the page.

SKILL.md Source

# 使用Apigee实施API威胁防护

## 概述

Google Apigee是一个企业级API管理平台,提供原生安全策略用于威胁防护,包括JSON和XML内容验证、OAuth 2.0强制执行、SpikeArrest速率限制、正则表达式威胁防护,以及用于检测恶意客户端和API滥用模式的高级API安全(Advanced API Security)。Apigee作为反向代理运行,拦截所有API流量,在请求到达后端服务前应用安全策略,有效防御OWASP API安全Top 10威胁。

## 前置条件

- 已预配Apigee组织的Google Cloud Platform账号
- 已配置Apigee X或Apigee hybrid环境
- 后端API服务已部署并可从Apigee访问
- 已安装并认证的Google Cloud CLI(gcloud)
- 目标API的OpenAPI规范
- 了解Apigee代理包(Proxy Bundle)结构

## 核心安全策略

### 1. JSON威胁防护

通过限制结构深度、条目数量和字符串长度,防护基于JSON的拒绝服务攻击:

```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<JSONThreatProtection name="JSON-Threat-Protection-1">
    <DisplayName>JSON Threat Protection</DisplayName>
    <Source>request</Source>
    <!-- JSON结构最大嵌套深度 -->
    <ObjectEntryNameLength>50</ObjectEntryNameLength>
    <ObjectEntryCount>25</ObjectEntryCount>
    <ArrayElementCount>100</ArrayElementCount>
    <ContainerDepth>5</ContainerDepth>
    <StringValueLength>500</StringValueLength>
</JSONThreatProtection>
```

### 2. XML威胁防护

防御XML炸弹(XML Bomb)、XXE攻击和超大XML载荷:

```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<XMLThreatProtection name="XML-Threat-Protection-1">
    <DisplayName>XML Threat Protection</DisplayName>
    <Source>request</Source>
    <NameLimits>
        <Element>50</Element>
        <Attribute>50</Attribute>
        <NamespacePrefix>20</NamespacePrefix>
        <ProcessingInstructionTarget>50</ProcessingInstructionTarget>
    </NameLimits>
    <ValueLimits>
        <Text>1000</Text>
        <Attribute>500</Attribute>
        <NamespaceURI>256</NamespaceURI>
        <Comment>256</Comment>
        <ProcessingInstructionData>256</ProcessingInstructionData>
    </ValueLimits>
    <StructureLimits>
        <NodeDepth>5</NodeDepth>
        <AttributeCountPerElement>5</AttributeCountPerElement>
        <NamespaceCountPerElement>3</NamespaceCountPerElement>
        <ChildCount>25</ChildCount>
    </StructureLimits>
</XMLThreatProtection>
```

### 3. 正则表达式威胁防护

检测请求参数中的SQL注入、XSS和其他注入模式:

```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<RegularExpressionProtection name="RegEx-Threat-Protection-1">
    <DisplayName>Regex Injection Protection</DisplayName>
    <Source>request</Source>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>

    <!-- SQL注入模式 -->
    <QueryParam name="*">
        <Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update)|(\bor\b))</Pattern>
    </QueryParam>

    <!-- XSS模式 -->
    <QueryParam name="*">
        <Pattern>[\s]*&lt;\s*script\b[^&gt;]*&gt;[^&lt;]+&lt;\s*/\s*script\s*&gt;</Pattern>
    </QueryParam>

    <!-- 响应头注入 -->
    <Header name="*">
        <Pattern>[\r\n]</Pattern>
    </Header>

    <!-- URI路径遍历 -->
    <URIPath>
        <Pattern>(/\.\.)|(\.\./)</Pattern>
    </URIPath>

    <!-- JSON载荷注入 -->
    <JSONPayload>
        <JSONPath>$.*</JSONPath>
        <Pattern>[\s]*((delete)|(exec)|(drop\s*table)|(insert)|(shutdown)|(update))</Pattern>
    </JSONPayload>
</RegularExpressionProtection>
```

### 4. SpikeArrest策略

防止流量峰值压垮后端服务:

```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<SpikeArrest name="Spike-Arrest-1">
    <DisplayName>API Spike Arrest</DisplayName>
    <Rate>30ps</Rate> <!-- 每秒30个请求(平滑处理) -->
    <Identifier ref="request.header.x-api-key"/>
    <MessageWeight ref="request.header.x-request-weight"/>
    <UseEffectiveCount>true</UseEffectiveCount>
</SpikeArrest>
```

### 5. OAuth 2.0令牌验证

```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<OAuthV2 name="Verify-OAuth-Token">
    <DisplayName>Verify OAuth 2.0 Access Token</DisplayName>
    <Operation>VerifyAccessToken</Operation>
    <ExternalAuthorization>false</ExternalAuthorization>
    <ExternalAccessToken>request.header.Authorization</ExternalAccessToken>
    <SupportedGrantTypes>
        <GrantType>authorization_code</GrantType>
        <GrantType>client_credentials</GrantType>
    </SupportedGrantTypes>
    <Scope>read write</Scope>
    <GenerateResponse enabled="true"/>
</OAuthV2>
```

### 6. API密钥验证

```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyAPIKey name="Verify-API-Key-1">
    <DisplayName>Verify API Key</DisplayName>
    <APIKey ref="request.header.x-api-key"/>
</VerifyAPIKey>
```

## 代理包配置

### 完整安全代理流程

```xml
<!-- apiproxy/proxies/default.xml -->
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <PreFlow name="PreFlow">
        <Request>
            <!-- 步骤1:验证API密钥或OAuth令牌 -->
            <Step>
                <Name>Verify-OAuth-Token</Name>
            </Step>
            <!-- 步骤2:速率限制 -->
            <Step>
                <Name>Spike-Arrest-1</Name>
            </Step>
            <!-- 步骤3:威胁防护 -->
            <Step>
                <Name>JSON-Threat-Protection-1</Name>
                <Condition>request.header.Content-Type = "application/json"</Condition>
            </Step>
            <Step>
                <Name>XML-Threat-Protection-1</Name>
                <Condition>request.header.Content-Type = "text/xml"</Condition>
            </Step>
            <!-- 步骤4:注入防护 -->
            <Step>
                <Name>RegEx-Threat-Protection-1</Name>
            </Step>
            <!-- 步骤5:CORS强制执行 -->
            <Step>
                <Name>CORS-Policy</Name>
            </Step>
        </Request>
        <Response>
            <!-- 从响应中移除内部头 -->
            <Step>
                <Name>Remove-Internal-Headers</Name>
            </Step>
            <!-- 添加安全响应头 -->
            <Step>
                <Name>Add-Security-Headers</Name>
            </Step>
        </Response>
    </PreFlow>

    <Flows>
        <Flow name="sensitive-operations">
            <Description>敏感端点的额外保护</Description>
            <Request>
                <Step>
                    <Name>Quota-Strict</Name>
                </Step>
            </Request>
            <Condition>(proxy.pathsuffix MatchesPath "/admin/**") or
                       (proxy.pathsuffix MatchesPath "/users/*/sensitive")</Condition>
        </Flow>
    </Flows>

    <HTTPProxyConnection>
        <BasePath>/v1</BasePath>
        <VirtualHost>secure</VirtualHost>
    </HTTPProxyConnection>

    <RouteRule name="default">
        <TargetEndpoint>default</TargetEndpoint>
    </RouteRule>
</ProxyEndpoint>
```

### 安全响应头策略

```xml
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage name="Add-Security-Headers">
    <DisplayName>Add Security Response Headers</DisplayName>
    <Set>
        <Headers>
            <Header name="X-Content-Type-Options">nosniff</Header>
            <Header name="X-Frame-Options">DENY</Header>
            <Header name="Strict-Transport-Security">max-age=31536000; includeSubDomains</Header>
            <Header name="Cache-Control">no-store, no-cache, must-revalidate</Header>
            <Header name="Content-Security-Policy">default-src 'none'</Header>
            <Header name="X-Request-ID">{messageid}</Header>
        </Headers>
    </Set>
    <Remove>
        <Headers>
            <Header name="X-Powered-By"/>
            <Header name="Server"/>
        </Headers>
    </Remove>
    <IgnoreUnresolvedVariables>false</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>
```

## 高级API安全

在Apigee X实例上启用高级API安全(Advanced API Security)附加组件,进行基于机器学习的威胁检测:

```bash
# 在Apigee X实例上启用高级API安全
gcloud apigee organizations update $ORG_NAME \
  --advanced-api-security-config=enabled

# 查看检测到的滥用告警
gcloud apigee apis security-reports list \
  --organization=$ORG_NAME \
  --environment=$ENV_NAME

# 创建安全动作以封锁可疑流量
gcloud apigee security-actions create \
  --organization=$ORG_NAME \
  --environment=$ENV_NAME \
  --action-type=DENY \
  --condition-type=IP_ADDRESS \
  --condition-values="192.168.1.100,10.0.0.50" \
  --description="封锁已识别的恶意IP"
```

## 部署

```bash
# 部署带安全策略的代理包
gcloud apigee apis deploy \
  --api=$API_NAME \
  --environment=$ENV_NAME \
  --revision=$REVISION \
  --organization=$ORG_NAME

# 验证部署
gcloud apigee apis list-deployments \
  --api=$API_NAME \
  --organization=$ORG_NAME
```

## 参考资料

- Apigee JSON威胁防护: https://cloud.google.com/apigee/docs/api-platform/reference/policies/json-threat-protection-policy
- Google Cloud Apigee安全最佳实践: https://cloud.google.com/architecture/best-practices-securing-applications-and-apis-using-apigee
- Apigee高级API安全: https://docs.cloud.google.com/apigee/docs/api-security
- Apigee OWASP API Top 10: https://docs.apigee.com/api-platform/faq/owasp-top-api-threats
- Wallarm Apigee安全策略指南: https://lab.wallarm.com/what/apigee-api-security-policies-howto/

Related Skills

tracking-threat-actor-infrastructure

9
from killvxk/cybersecurity-skills-zh

威胁行为者基础设施追踪涉及使用被动 DNS、证书透明度日志、Shodan/Censys 扫描、WHOIS 分析和网络指纹技术,对对手控制的 C2 服务器、钓鱼域名和暂存服务器等资产进行监控、映射和持续追踪

profiling-threat-actor-groups

9
from killvxk/cybersecurity-skills-zh

通过聚合 TTP 文档、历史活动数据、工具指纹和来自多个情报源的归因指标,为 APT 组织、犯罪组织和黑客活动组织开发全面的威胁行为者画像。适用于就行业特定威胁向管理层汇报、更新威胁模型假设,或针对特定对手优先部署防御控制措施。当涉及 MITRE ATT&CK 组织、Mandiant APT 画像、CrowdStrike 对手命名或行业特定威胁简报时激活。

performing-threat-modeling-with-owasp-threat-dragon

9
from killvxk/cybersecurity-skills-zh

使用 OWASP Threat Dragon 创建数据流图,运用 STRIDE 和 LINDDUN 方法论识别威胁,并生成威胁模型报告用于安全设计审查。

performing-threat-landscape-assessment-for-sector

9
from killvxk/cybersecurity-skills-zh

通过分析威胁行为者定向攻击模式、常见攻击向量和行业特定漏洞,开展行业特定威胁态势评估,为组织风险管理提供决策依据

performing-threat-intelligence-sharing-with-misp

9
from killvxk/cybersecurity-skills-zh

使用 PyMISP 在 MISP 平台上创建、丰富和共享威胁情报事件,包括 IOC 管理、情报源集成、STIX 导出及社区共享工作流

performing-threat-hunting-with-yara-rules

9
from killvxk/cybersecurity-skills-zh

使用 YARA 模式匹配规则在文件系统和内存转储中狩猎恶意软件、可疑文件和入侵指标。 涵盖规则编写、yara-python 扫描以及与威胁情报源的集成。

performing-threat-hunting-with-elastic-siem

9
from killvxk/cybersecurity-skills-zh

使用 KQL/EQL 查询、检测规则和 Timeline 调查在 Elastic Security SIEM 中执行主动威胁狩猎, 识别绕过自动检测的威胁。适用于 SOC 团队针对特定 ATT&CK 技术进行狩猎、调查异常行为, 或使用 Elasticsearch 和 Kibana Security 验证检测覆盖缺口。

performing-threat-emulation-with-atomic-red-team

9
from killvxk/cybersecurity-skills-zh

使用 atomic-operator Python 框架执行 Atomic Red Team 测试,进行 MITRE ATT&CK 技术验证。 从 YAML 原子测试加载测试定义、运行攻击模拟并验证检测覆盖率。适用于测试 SIEM 检测规则、 验证 EDR 覆盖率或开展紫队演练。

performing-insider-threat-investigation

9
from killvxk/cybersecurity-skills-zh

调查内部威胁事件,涉及滥用授权访问权限窃取数据、破坏系统或违反安全策略的员工、承包商或受信任合作伙伴。 结合数字取证、用户行为分析以及 HR/法务协调,构建基于证据的案例。适用于内部威胁调查、 员工数据盗窃、权限滥用、用户行为异常或内部威胁检测等请求场景。

performing-dark-web-monitoring-for-threats

9
from killvxk/cybersecurity-skills-zh

暗网威胁监控涉及系统性扫描 Tor 隐藏服务、地下论坛、粘贴站点和暗网市场,以识别针对组织的威胁,包括泄露凭据、数据泄露、威胁行为者讨论、漏洞利用工具和预谋攻击。

investigating-insider-threat-indicators

9
from killvxk/cybersecurity-skills-zh

调查内部威胁(Insider Threat)指标,包括数据渗漏(Data Exfiltration)尝试、未授权访问模式、 策略违规和离职前行为,结合 SIEM 分析、DLP 告警和 HR 数据关联进行调查。 适用于 SOC 团队收到 HR 内部威胁转介、检测到员工异常数据移动, 或需要为潜在内部威胁建立调查时间线时。

implementing-zero-trust-with-hashicorp-boundary

9
from killvxk/cybersecurity-skills-zh

使用 HashiCorp Boundary 实现具备动态凭据代理、会话录制和 Vault 集成的身份感知零信任基础设施访问管理。