API Firewall Changelog¶

This page describes new releases of Wallarm API Firewall.

v0.7.0 (2024-04-03)¶

Added IP allowlisting support in the API mode
Added support for subnets in allowlisted IP file and IP address validation during the file upload
Added support for a new SQLite database structure (V2) in the API mode of the API Firewall. This version adds a status field to track specifications as new (unprocessed by the firewall) or applied (processed).

For backward compatibility, the APIFW_API_MODE_DB_VERSION environment variable has been added - it defaults to attempting to parse the database as V2; if unsuccessful, it falls back to previous format (V1).
Added the following default response from the API Firewall to GraphQL requests that do not match a provided API schema:
```
{
  "errors": [
    {
      "message":"invalid query"
    }
  ]
}
```
Introduced the new environment variable to limit the number of queries that can be batched together in a single GraphQL request, APIFW_GRAPHQL_BATCH_QUERY_LIMIT
Upgraded Go up to 1.21 and some other dependencies

Added IP allowlisting, enabling secure access to backends by allowing only requests from predefined IP addresses for both REST and GraphQL APIs. This update ensures requests from allowlisted IPs are validated against the OpenAPI specification 3.0, with non-allowlisted IP requests being rejected with a 403 error code. Thanks for PR #76 contributors. Read more
Fixed the processing issues of the HEAD request type in the api mode
Improved log messages by adding host and path parameters, providing immediate insight into request destinations. Issue #78
Adjusted TEXT log formatting to remove multi-line outputs. All log messages in TEXT logging mode are now formatted in a single line, enhancing readability for log parsers. For example, previously, multi-line outputs were consolidated into a single line, replacing occurrences of \r\n with spaces. Issue #79
Implemented a solution to generate unique request_id values, resolving conflicts caused by the incremental nature of request_id. Issue #80
Add tests
Dependency upgrade

Dependency upgrade
Bug fixes
Add tests
When operating in the api mode, the API Firewall now returns error messages in responses for requests containing parameter values that exceed the minimum and maximum limits defined in the OpenAPI specification

Introduced new environment variables to limit GraphQL queries: APIFW_GRAPHQL_MAX_ALIASES_NUM and APIFW_GRAPHQL_FIELD_DUPLICATION.
Implemented more detailed responses for requests that do not match mounted specifications in the API non-proxy mode.

Ability to set the general API Firewall mode using the APIFW_MODE environment variable. The default value is PROXY. When set to API, you can validate individual API requests based on a provided OpenAPI specification without further proxying.
Introduced the ability to allow OPTIONS requests for endpoints specified in the OpenAPI, even if the OPTIONS method is not explicitly defined. This can be achieved using the APIFW_PASS_OPTIONS variable. The default value is false.
Introduced a feature that allows control over whether requests should be identified as non-matching the specification if their parameters do not align with those outlined in the OpenAPI specification. It is set to true by default.

This can be controlled through the APIFW_SHADOW_API_UNKNOWN_PARAMETERS_DETECTION variable in PROXY mode and via the APIFW_API_MODE_UNKNOWN_PARAMETERS_DETECTION variable in API mode.
The new logging level mode TRACE to log incoming requests and API Firewall responses, including their content. This level can be set using the APIFW_LOG_LEVEL environment variable.
Dependency updates
Bug fixes

Add the APIFW_SERVER_DELETE_ACCEPT_ENCODING environment variable. If it is set to true, the Accept-Encoding header is deleted from proxied requests. The default value is false.
https://github.com/wallarm/api-firewall/issues/56
https://github.com/wallarm/api-firewall/issues/57
Add decompression for the request body and response body

Upgrade Go to 1.19
Upgrade other dependencies
Fix bugs of Shadow API detection and denylist processing
Delete the Apifw-Request-Id header from responses returned by API Firewall
Add compatibility of the Ingress object with Kubernetes 1.22
Terminate logging of incoming requests matching API specification at the INFO log level

Ability to specify the URL address of the OpenAPI 3.0 specification instead of mounting the specification file into the Docker container (via the environment variable APIFW_API_SPECS).
Ability to use the custom Content-Type header when sending requests to the token introspection service (via the environment variable APIFW_SERVER_OAUTH_INTROSPECTION_CONTENT_TYPE).
Support for the authentication token denylists.

Wallarm API Firewall is now open source. There are the following related changes in this release:

Support for OAuth 2.0 token validation.
Connection to the servers signed with the custom CA certificates and support for insecure connection flag.

Configuration of the maximum number of the fasthttp clients (via the environment variable APIFW_SERVER_CLIENT_POOL_CAPACITY).
Health checks on the 9667 port of the API Firewall container (the port can be changed via the environment variable APIFW_HEALTH_HOST).

Added monitoring for Shadow API endpoints. API Firewall operating in the LOG_ONLY mode for both the requests and responses marks all endpoints that are not included in the specification and are returning the code different from 404 as the shadow ones. You can exclude response codes indicating shadow endpoints using the environment variable APIFW_SHADOW_API_EXCLUDE_LIST.
Configuration of the HTTP response status code returned by API Firewall to blocked requests (via the environment variable APIFW_CUSTOM_BLOCK_STATUS_CODE).
Ability to return the header containing the reason for the request blocking (via the environment variable APIFW_ADD_VALIDATION_STATUS_HEADER). This feature is experimental.
Configuration of the API Firewall log format (via the environment variable APIFW_LOG_FORMAT).

Optimized validation of the OpenAPI 3.0 specification due to added fastjson parser.
Added support for fasthttp.