Prophaze
  • What is Prophaze AppSec Platform? How it works?
    • Performance
    • SSL Termination
    • Modes of Operation
  • Prophaze AppSec Best Practices
  • Application Onboarding
    • Account Creation
    • Deployment Models
      • Cloud
      • On-Premise
      • Kubernetes Deployment
    • Multi-Cloud Setup
  • DASHBOARD UI OVERVIEW
    • Dashboard
    • Traffic Analysis
    • API Security
    • Attack Analytics
    • DDOS Attacks
    • Rules Page
    • Bot Mitigation
    • Anomaly Detection
    • Reporting
    • Attack Types
    • Incidents
    • AppSec Toggle Mode
    • SSL Certificate
  • HTTP Support
    • Encoding Types
    • Protocol Validation
  • Protection Use Cases
    • HTTP Protocol Violation
    • Protocol Anomalies
    • Bot Detection
    • Injection Prevention
    • HTTP Request Smuggling
    • HTTP Response Splitting
    • XSS Prevention
    • LFI and RFI
    • Session Fixation
    • SQL Injection Prevention
    • Layer 7 Dos Attack Prevention
    • PHP Application Protection
  • Detection Techniques
    • Normalization
    • Negative Security Model
    • Signature and Rule Database
  • FAQ
    • Onboarding Process
    • Dashboard Terminology
    • Attack Section
    • Rule Set
    • Traffic 360: General Traffic Logs
    • ML Based Bot Mitigation
    • Generating Reports
    • Anomaly Detection
    • General
  • Software Updates
    • Release Notes v2.3.0
  • Release Notes v2.4.0
  • Release Notes v2.5.0
  • API Security Dashboard
    • API Security Features of Prophaze
    • API security scoring
    • Host-Based API Quality Score
    • How to Enable API Security and Dashboard
    • API Security Section
  • CVE
    • CVE-2024
    • CVE-2023
    • CVE-2022
    • CVE-2021
    • CVE-2020
    • CVE-2019
    • CVE-2018
    • CVE-2017
    • CVE-2012
    • CVE-2011
    • CVE-2009
    • CVE-2008
    • CVE-2001
Powered by GitBook
On this page

Was this helpful?

  1. API Security Dashboard

API security scoring

PreviousAPI Security Features of ProphazeNextHost-Based API Quality Score

Last updated 2 months ago

Was this helpful?

API security scoring is a methodology used to evaluate the security and performance of APIs. This scoring mechanism assigns a health score (out of 100) to APIs based on multiple factors. The purpose of API security scoring is to ensure that APIs are secure, reliable, and perform efficiently. A higher score signifies a well-secured and high-performing API, whereas a lower score indicates potential vulnerabilities and performance bottlenecks.

API Score Calculation

The API score is determined based on the following key parameters:

1. Response Time

  • Definition: Measures how quickly an API responds to requests.

  • Impact on Score: Faster response times contribute to a higher API security score, while slower response times lower the score.

  • Best Practices:

  1. Optimize backend processing.

  2. Use caching mechanisms.

  3. Reduce unnecessary computations in API responses.

2. Error Ratio

  • Definition: Represents the frequency of errors encountered by the API.

  • Impact on Score:

  • A high ratio of error codes (4xx, 5xx) negatively affects the score.

  • A lower error rate (higher percentage of 200 status codes) improves the score.

  • Best Practices:

  1. Implement proper error handling.

  2. Reduce server crashes by optimizing code and database queries.Conduct regular API testing and monitoring.

3. HTTPS Support

  • Definition: Ensures secure encrypted communication between clients and the API.

  • Impact on Score: APIs using HTTPS receive a higher score, while those using HTTP are penalized.

  • Best Practices:

  • Enforce HTTPS for all API endpoints.

  • Obtain valid SSL/TLS certificates.

  • Regularly update and renew certificates.

4. Content Encoding

  • Definition: Ensures that responses maintain data integrity and security.

  • Impact on Score: Incorrect or missing content encoding lowers the score.

  • Best Practices:

  1. Ensure proper response content-type headers (e.g., application/json, application/xml).

  2. Avoid returning responses with incorrect content types such as text/html unless explicitly needed.