This section covers CORS, Cache, Error Response Templates, Forwarded IP Header Parameters and Log settings of the API Proxy.

The picture below shows the Settings Tab:


If there is a warning on the settings as "Proxy Group Settings Enabled" in the image below, it means that the API Proxy is connected to an API Proxy Group and the settings in this panel are managed within the API Proxy Group.

CORS Settings

CORS (Cross-Origin Resource Sharing) can be configured in this subsection.

The Configure button becomes active when this fields is activated and contains the relevant settings.

The picture below shows the CORS Settings:


The CORS Settings fields are shown in the table below.

Field

Description

Request Headers


Origin

It contains the origin (domain, protocol, port) information from which the preflight request is sent.

Access-Control-Request-MethodThe HTTP method to be sent in the original request is specified.
Access-Control-Request-HeadersThe HTTP headers to be sent in the original request is specified.
Access-Control-Max-Age

It is given in seconds how long the response of the preflight request will remain in the cache without sending another preflight request. 

Access-Control-Allow-Headers

Header values that API Proxy allows for access are entered. If Access-Control-Request-Headers is specified in the preflight request, this header is placed on the response. It contains information about which HTTP headers can be used in the original request.

Access-Control-Allow-Methods

It contains the HTTP methods that are allowed when accessing the server. The methods that API Proxy allows for access are selected from the list by ticking:

  • GET
  • POST
  • PUT
  • HEAD
  • OPTIONS
  • DELETE
  • PATCH
  • TRACE
  • ALL

Response Headers

Access-Control-Allow-OriginOrigin values allowed by API Proxy are entered. If * is entered in this field, all origins can send requests.
Access-Control-Allow-CredentialsIn the original request, the value of whether the credentials are present is entered.
Access-Control-Expose-HeadersOther headers that clients can access are entered.

You can visit the CORS Origin Values and CORS Headers pages to add new ones to the predefined Origin and Header values.

Cache Settings 

By caching the responses returned from the API Proxy, requests of the client can be answered from the cache without sending them to the Backend API. You can manage this cache settings from here.

The picture below shows the Cache Settings:


The Cache Settings fields are shown in the table below.

Field

Description

Cache Only HTTP Get RequestsIf this option is selected, only HTTP Get requests' responses will be cached. 
Cache Key Type

There are two options for Cache Key Type:

  • Use Query Params: This value is used to determine the key (to be created for caching) based on the HTTP Query parameters in the request.

For example, when the query parameter is /methodName?param1=value1&param2=value2, the key to be kept in the cache consists of the value "param1=value1&param2=value2"

  • Create Custom Key: This value is used to create the key (to be created for caching) with the fields to be selected from the request.

When this value is selected, a key is created with the fields to be specified in the "Variable List" table.

Variable List

If Create Custom Key is selected as the Cache Key Type, this field becomes active.

This list specifies where to retrieve the relevant values in the header, parameter, or body sections of the request message that will be used to generate the cache key.

For example; An expression can be written as "Create key based on the APIKEY value in the header of the request message and the XPath value "//identity_no" in the body".

CapacityMaximum number of the responses to be cached.

Invalidation Requires Authn

The existing cache can be invalidated by sending one of the values "no-cache", "no-store" or "max-age=0" to the Cache-Control key in the Request Header.

This field (Invalidation Requires Authn) is selected if authorization is required to invalidate the cache.

Handling Action

If authorization is required to invalidate the cache, the action to take for unauthorized requests is selected:

  • CONTINUE:If this option is selected, when one of the values "no-cache", "no-store" or "max-age=0" is sent in the Cache-Control header information, if the sender is not authorized, message will continue to operate without being invalidated.
  • STOP: If this option is selected, when one of the values "no-cache", "no-store" or "max-age=0" is sent in the Cache-Control header information, if the sender is not authorized, the flow will be stopped and an error message will be returned.

TTL

The length of time the cached response will remain in the cache. It is given in seconds.
Cache Null ValueChecked if null values are also to be cached.

Sending 'no-cache' to the Cache-Control header allows the current cache to be made refreshable.

Customizing the XML Error Response Template

It is used to prepare response templates that will be used when any error is returned from the API Proxy to the client.

When any template is activated, the default template is displayed and can be customized if desired.

The Configure button becomes active when this fields is activated and contains the relevant settings.

The picture below shows the XML Error Response Template:


The XML Error Response Template fields are shown in the table below.

Field

Description

Permit Special Chars in Response Message

Special characters that may be present in the error message of the response can corrupt the XML message structure. Determines whether these are allowed or not.

XML Value

The error template of XML type can be edited in this field.

Content Type

The content type of the response to be returned.


Customizing the JSON Error Response Template

The Configure button becomes active when this fields is activated and contains the relevant settings.

The picture below shows the JSON Error Response Template:


The JSON Error Response Template fields are shown in the table below.

Field

Description

Permit Special Chars in Response Message

Special characters that may be present in the error message of the response can corrupt the JSON message structure. Determines whether these are allowed or not.

JSON Value

The JSON type error template can be edited in this field.

Content Type

The content type of the response to be returned.


Within the response templates, the values in the form #...# are used as placeholders to put the relevant part of the error message. Placeholders and their descriptions are in the following table:

PlaceholderDescription
#CORRELATIONID#Apinizer creates a unique key for each incoming request so that the request can be tracked throughout the flow. By using this key, for example, it becomes possible to follow the log records of the applications by associating them with the log records on Apinizer.
#FAULTCODE#Specifies where to put the error code to be returned to the client in the response message.
#FAULTMESSAGE#Specifies where to place the error message returned to the client in the response message.
#FAULTMESSAGE_FIRSTLINE#The first line or first 150 characters of the error message to be returned to the client are taken and put in the response message.
#FAULTSTATUSCODE#Specifies where to put the HTTP Status Code returned to the client in the response message.
#RESPONSEFROMAPI#If there is a response returned from the Backend API, it determines where the response will be placed in the response message to be returned to the client.
#RESPONSEFROMAPI_FIRSTLINE#The first line or first 150 characters of a response returned from the Backend API are taken and put into the response message to be returned to the client.


Both templates can be activated if desired. If both templates are active, which one will be used is decided according to the following criteria:

  • If the value of the Content-Type header specifies the JSON format, the JSON Error Response Template is used.
  • If the Content-Type header is empty and the API Proxy's type is REST, the JSON Error Response Template is used.
  • If these are not valid, the XML Error Response Template is used.

If both templates are not activated or the cause of the error is API Proxy not found (address may be wrong, API Proxy may not be deployed), following response returns with text/plain;charset=utf-8 header:

[#CORRELATIONID#],[#FAULTCODE#],[#FAULTMESSAGE#],[#FAULTSTATUSCODE#],[#RESPONSEFROMAPI#]

If the "Ignore Error Response Template In Case Of Error On Backend API" option is selected in the Routing tab of the API Proxy, the templates defined in this section are not used, and the error response of the Backend API is sent to the client as it is.

Forwarded IP Header Setting

If the API Proxy is behind a Load Balancer or Proxy Server, the IP value of the client cannot be known by the API Proxy or Backend API, since the request from the client will be directed to the API Proxy by this layer. Therefore, Load Balancers or Proxy Servers can transmit the original client's IP with a header. The Forwarded IP Header Parameters setting ensures that the client IP is accessible by the API Proxy and Backend API by specifying the name of this header, which can vary by software/hardware.


The picture below shows the Forwarded IP Header Setting:


The Forwarded IP Header Setting fields are shown in the table below.

Field

Description

Forwarded IP Header Parameter

If the client is behind a Load Balancer or a API Proxy, this parameter is used in order to access the real IP of the client.

IP to Use

If the request has passed more than one proxy, more than one IP address can accumulate in the XFF value. In this case, IP to Use decides which address to get.


Hiding API Definition File 

When enabled, users are prevented from accessing the API Definition file via the API Proxy's external access address. However, this setting has no effect for definition files viewed through the API Manager.

If the API Proxy is in a Proxy Group and the Definition File is closed, the definition file of the API Proxy stored in the Proxy Group Definition File will not appear, if the definition files of all the Proxies in the Proxy Group are closed, the user will get an access error.

You can visit the Overview Tab page to access API Proxy Definition files.

API Traffic Log Settings

Request and response messages coming to API Proxy are logged by sending them to API Proxy Traffic Log Connectors in the environment where API Proxy is deployed.

Log records contain two types of data:

  • The first of these is metric data. Storing metric data is not optional.
  • The second is the content that consists header, parameter and body fields of the request and response messages in these 4 regions: Client → API Proxy, API Proxy → Backend API, Backend API → API Proxy, API Proxy → Client. Which of these fields will be included in the log records can be determined according to the need or based on the resource consumption of the log server.

By default, log fields in all message zones of the project are active. Although all log fields are active by default, it is recommended to disable Body fields so that the log data does not overgrow, especially in Production Environments.

The picture below shows the Log Settings tab:


The fields used for log settings are shown in the table below.

FieldDescription

Header

Enables logging the Header values for the relevant region.

Body

Enables logging the content of the Body for the relevant region.

Parameter

Enables logging the Parameter values for the relevant region.

Connectors

It is used to select which connector the relevant logs will be sent to.

In the Log Settings section, log settings are managed for the relevant API Proxy only. 

For detailed information about the log settings, you can visit the API Traffic Log Settings page.