Security and Threat Protection
How to enable or disable threat protection and request schema validation.
The Security tab has multiple configurations that you can use to protect your API.
Firewall settings
For security reasons, you should protect your API and block requests coming from outside the RapidAPI infrastructure.
RapidAPI adds the X-RapidAPI-Proxy-Secret header on every request. This header has a unique value for every API, and if the header is missing or has a different value, you can assume the request is not coming from our infrastructure. The header for this API is: X-RapidAPI-Proxy-Secret followed by a unique string.
List of IP addresses used by RapidAPI
Every request coming from the RapidAPI network will come from the following IP addresses. You can allow list these IPs, as they are the ones used to send requests only from RapidAPI.
A request coming from RapidAPI can be considered already authenticated, so no billing or authentication checks are required on the API side.
Here is the complete list of IPs to allow list:
Notice that you must accept API requests from ALL IPs below, regardless of which region your servers are located in.
| Region | IPs |
|---|---|
| US East | 107.23.255.128 107.23.255.129 107.23.255.131 107.23.255.132 107.23.255.133 107.23.255.134 107.23.255.135 107.23.255.137 107.23.255.138 107.23.255.139 107.23.255.140 107.23.255.141 107.23.255.142 107.23.255.143 107.23.255.144 107.23.255.145 107.23.255.146 107.23.255.147 107.23.255.148 107.23.255.149 107.23.255.150 107.23.255.151 107.23.255.152 107.23.255.153 107.23.255.154 107.23.255.155 107.23.255.156 107.23.255.157 107.23.255.158 107.23.255.159 |
| US West | 35.162.152.183 52.38.28.241 52.35.67.149 54.149.215.237 |
| Mumbai | 13.127.146.34 13.127.207.241 13.232.235.243 13.233.81.143 |
| Tokyo | 13.112.233.15 54.250.57.56 18.182.156.77 52.194.200.157 |
| Frankfurt | 3.120.160.95 18.184.214.33 18.197.117.10 3.121.144.151 |
| Sydney | 13.239.156.114 13.238.1.253 13.54.58.4 54.153.234.158 |
| South America | 18.228.167.221 18.228.209.157 18.228.209.53 18.228.69.72 |
| Singapore | 13.228.169.5 3.0.35.31 3.1.111.112 52.220.50.179 |
| Ireland | 34.250.225.89 52.30.208.221 63.34.177.151 63.35.2.11 |
Threat protection
You can enable or disable threat protection under the Security tab of your API's definition. Threat protection protects your API from SQL or JavaScript injection attacks. If enabled, we will automatically compare the paths, parameters, headers, and body (application/json, application/x-www-form-urlencoded, and non-binary data in multipart/form-data) of all requests against pre-defined RegEx patterns, and block matching requests from reaching your servers.
By default, threat protection is off. You can toggle it on or off by clicking the switch.
If threat protection is enabled, the Content-Type header must be specified if the request has a body. If Content-Type is not specified, the request will be blocked. You can configure whether to block or pass the body through if the Content-Type is not set to application/json, application/x-www-form-urlencoded, and non-binary data in multipart/form-data.
Request schema validation
You can enable or disable request schema validation under the Security tab of your API's definition. This stops requests that have a validation error at our proxy so the call will not be sent to your API hosting server.
If enabled, we will automatically validate the path, query, and header parameters on run time and block all invalid requests. This requires a "Content-Type" header in requests with a body. By default, request schema validation is off. You can toggle it on or off by clicking the switch.
Additional request schema validation settings
When Request Schema Validation is enabled, you will be able to choose from three settings:
Pass through everything (default): Request passed through without stripping any parameters or headers.
Strip and passthrough: Strips unexpected parameters or headers and passes the request through.
Block: Blocks any request with unexpected parameters or headers.
Currently, even if the default HTTP headers or auto-generated headers for REST APIs are not explicitly defined in the specification the request will be blocked if you select "Strip and passthrough" or "Block"
Request size limit
You can specify a maximum allowed request size (less than or equal to the default value 50 MB). If left empty or configured as 0, the default value is applied. The request size includes request line, header, and request body.
When the size of a request exceeds this limit, the request is blocked at the RapidAPI Gateway and a 413 status code is returned in the response.
Gateway timeout
You can specify a maximum allowed time for the RapidAPI Gateway to wait for a response from the target API (less than or equal to the default value 180 seconds). If left empty or configured as 0, the default value is applied.
When the response from the target API takes longer than the specified timeout value, the RapidAPI Gateway terminates the call and a 504 status code is returned in the response.
Updated over 2 years ago