Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes an API request to the proxy. The proxy determines whether an internet protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair. In response to determining that the token exists in a token store but the token is associated with a different IP address, the API request may be denied.

Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes an API request to the proxy. The proxy determines whether an internet protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair or if the token does not match an existing token and the token is verified by the proxy.

Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client device. The system determines that an API request lacks a form of authentication including a token where the first API request cannot be authenticated. The API request is denied, and a challenge is transmitted to the client device. A subsequent API request from the client device is determined to include a presented token as the form of authentication. The presented token of the second API request is verified based on attributes of the presented token. The system permits the second API request in response to the presented token being verified. An IP-token pair is stored and the permitted second API request is transmitted to the host device for servicing.

Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API is distributed to clients and includes a Software Development Kit configured to generate a unique token and provide the token in association with an API request when challenged by the proxy. For example, the proxy may challenge a client to present a token in response to receiving an API request lacking a token or when a token is expired. The proxy verifies the token to authenticate the client and permits authorized clients access to the API by passing API requests received from authenticated clients on to the host for servicing.

Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes an API request to the proxy. The proxy determines whether an internet protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair or if the token does not match an existing token and the token is verified by the proxy.

Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes a Software Development Kit configured to generate a unique token and provide the token in association with an API request to the proxy. The proxy determines whether an internet protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair or if the token does not match an existing token and the token is verified by the proxy.

Abstract: A system detects human activity through browser canvas events to mitigate the effects of an attack on a host, such as an application layer (layer 7) DDoS attack. A proxy, such as a HTTP/HTTPS “HTTP(S)” proxy server, configured to handle network traffic between a host and clients challenges clients engaging the host. The proxy challenges the clients by injecting code having a beacon and a shared encryption key into the content received from the host prior to transmission of the client. The code, when executed by the client, is configured to monitor user interactions (or lack thereof) with the content at the client in order to determine whether there is human activity at the client. The proxy receives and analyzes the information about interactions (or lack thereof) to determine whether a client is malicious (e.g., non-human activity) or non-malicious (e.g., human activity).

Abstract: A system is configured for protecting web applications at a host by analyzing web application behavior to detect malicious client requests. Example embodiments described herein include a proxy configured to handle network traffic between a host and clients. The proxy includes two request classification mechanisms, first a list of known clients, malicious and non-malicious, for identifying known malicious and known non-malicious requests and second a web application firewall for determining a classification for unknown requests (e.g., not originating from a known client). The classification itself may be distributed. The proxy determines whether a request is known non-malicious, known malicious, or unknown. The proxy collects request attributes for the known malicious and known non-malicious requests for the generation of a model based on the attributes of the known requests. The proxy passes the unknown requests to the WAF for determining a classification based on their attributes using the model.

Abstract: A system (and method, and computer readable storage medium storing computer program instructions) is configured to determine a fingerprint of a client and qualify client behavior. For example, a proxy positioned between a host and the client may determine the fingerprint of the client and qualify the behavior of clients engaging the host. The client fingerprint provides a relatively stable representation of the client such that the client may be distinguished from the other clients engaging the host and the behavior of the client tracked. Clients engaging the host in a positive manner are prequalified to access the host based on the positive behavior they exhibit. During an attack on the host, such as a DDoS attack, prequalified clients retain access to features and functionality provided by the host to maintain legitimate user experience and better enable the proxy to handle malicious clients.

Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.

Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API is distributed to clients and includes a Software Development Kit configured to generate a unique token and provide the token in association with an API request when challenged by the proxy. For example, the proxy may challenge a client to present a token in response to receiving an API request lacking a token or when a token is expired. The proxy verifies the token to authenticate the client and permits authorized clients access to the API by passing API requests received from authenticated clients on to the host for servicing.

Abstract: A system is configured to authorize client access to an application programming interface (API) of a host device. A proxy is configured to handle network traffic between a host and a client. Clients engage the host through the proxy to access an API of the host. An authorized client-side application permitted use of the API includes a Software Development Kit configured to generate a unique token and provide the token in association with an API request to the proxy. The proxy determines whether an interne protocol (IP) address of the client and the token match an existing IP-token pair. If no match exists, the proxy determines whether the token matches an existing token. The proxy authorizes the client access to the API when the IP and token match an existing pair or if the token does not match an existing token and the token is verified by the proxy.

Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.

Abstract: A network traffic hub extracts encryption metadata from messages establishing an encrypted connection between a smart appliance and a remote server and determines whether malicious behavior is present in the messages. For example, the network traffic hub can extract an encryption cipher suite, identified encryption algorithms, or a public certificate. The network traffic hub detects malicious behavior or security threats based on the encryption metadata. These security threats may include a man-in-the-middle attacker or a Padding Oracle On Downgraded Legacy Encryption attack. Upon detecting malicious behavior or security threats, the network traffic hub blocks the encrypted traffic or notifies a user.

Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.

Abstract: A system is configured for protecting web applications at a host by analyzing web application behavior to detect malicious client requests. Example embodiments described herein include a proxy configured to handle network traffic between a host and clients. The proxy includes two request classification mechanisms, first a list of known clients, malicious and non-malicious, for identifying known malicious and known non-malicious requests and second a web application firewall for determining a classification for unknown requests (e.g., not originating from a known client). The classification itself may be distributed. The proxy determines whether a request is known non-malicious, known malicious, or unknown. The proxy collects request attributes for the known malicious and known non-malicious requests for the generation of a model based on the attributes of the known requests. The proxy passes the unknown requests to the WAF for determining a classification based on their attributes using the model.

Abstract: A system (and method, and computer readable storage medium storing computer program instructions) is configured to determine a fingerprint of a client and qualify client behavior. For example, a proxy positioned between a host and the client may determine the fingerprint of the client and qualify the behavior of clients engaging the host. The client fingerprint provides a relatively stable representation of the client such that the client may be distinguished from the other clients engaging the host and the behavior of the client tracked. Clients engaging the host in a positive manner are prequalified to access the host based on the positive behavior they exhibit. During an attack on the host, such as a DDoS attack, prequalified clients retain access to features and functionality provided by the host to maintain legitimate user experience and better enable the proxy to handle malicious clients.

Abstract: A system detects human activity through browser canvas events to mitigate the effects of an attack on a host, such as an application layer (layer 7) DDoS attack. A proxy, such as a HTTP/HTTPS “HTTP(S)” proxy server, configured to handle network traffic between a host and clients challenges clients engaging the host. The proxy challenges the clients by injecting code into the content received from the host prior to transmission of the client. The code, when executed by the client, is configured to monitor user interactions (or lack thereof) with the content at the client in order to determine whether there is human activity at the client. The proxy receives and analyzes the information about interactions (or lack thereof) to determine whether a client is malicious (e.g., non-human activity) or non-malicious (e.g., human activity).

Abstract: A proxy server routes a request for online content from a user device to an origin server, which returns the requested online content to the proxy server. The proxy server passes the online content to the user device. In order to service subsequent user device requests with cached content, the proxy server, having received the initially requested online content from the origin server, parses out dynamic content specific to the user from static content common to many users within the web page content according to tags identifying the dynamic content. The proxy server stores the dynamic content within a personalized cache and also stores an association between the user/user device for the dynamic content stored. In this way, a subsequent request from the user device for the same online content may be serviced from cache, and include dynamic content specific to that user/user device by way of the personalized cache.

Abstract: A system for diverting motivated bidders from a publisher's webpage to an on-line auction site comprises an auction website server hosting an on-line auction and having an xml file with which a potential bidder's web browser can communicate via a banner ad displayed at a publisher's website to request a list of authorized domains having access rights to communicate with the on-line auction server. Means are provided for permitting the potential bidder's web browser to open a channel of communication to the auction website's webpage in http or https format to obtain a listing from the on-line auction website of at least one auction at the on-line auction website that is ending soon and which meets search criteria specific to the publisher's webpage as previously selected by one or both of the on-line website and the publisher. The listing is in http or https format and is displayed as real-time content within the banner ad.