There are three main types of API policies: included, automated & custom.
Policies can be applied at API level or at resource-level (for specific endpoints).
Included Policies
Ready to use policies provided by MuleSoft which cover 90% of the cases. There are 5 main categories of policies:
- Security policies
- Basic Authentication – LDAP
- Basic Authentication – Simple
- IP Blocklist
- IP Allowlist
- JSON Threat Protection
- XML Threat Protection
- JWT
- OAuth 2.0 Access Token Enforcement Using Mule OAuth Provider Policy (recommended for Experience layer)
- OpenAM Access Token Enforcement
- PingFederate Access Token Enforcement
- Tokenization
- Detokenization
- Compliance policies
- Client ID Enforcement (this is the minimum recommendation for any API)
- CORS
- Transformation policies
- Header Injection
- Header Removal
- Quality of service policies
- HTTP Caching
- Rate Limiting
- Rate Limiting, SLA-Based
- Spike Control
- Troubleshooting
- Message Logging
Automated Policies
Can be applied at environment level for all APIs. Can be applied only by API Manager Environment Administrator. As a developer, you may not have the required rights to play with it.
Custom Policies
Can be based on an existing included policy or can be written from scratch. We have two types of custom policies: online and offline.
Online custom policies are the recommended ones and are applied from API Manager. They are recommended because they are protected by the gatekeeper mechanism (The gatekeeper blocks requests until all the policies are applied. Without the gatekeeper there may be a gap where an unauthorized user could make a request by bypassing the policies).
Notes about Mule API Policies
Each policy increases the duration (latency) of the request. It’s not a good idea to use too many policies. They should be chosen with a focus on the balance between performance and user experience.