By on March 25, 2020

Protect Your Applications With Cleafy Plugin for Kong

← Back to Blog Home

When protecting your online services, the weakest link is represented by the endpoints – that is, by the end-user devices running web or mobile applications or by external systems leveraging open APIs. As a matter of fact, there is a growing number of targeted attacks leveraging sophisticated techniques such as malicious web injections, mobile overlay and API abuse attacks to perform identity hijacking, account takeover, transaction tampering and payment frauds.

Traditional threat detection or anti-malware tools are either unable to detect these advanced attacks or are generating too many false positives that have a heavy operational impact on security teams or are unable to support the need to support the real-time decisions that are required to avoid damages without causing customer friction. This situation is exacerbated as digital transformation (DX), instant/real-time payments and open banking initiatives are extending the exposed security perimeter.

Cleafy, a Kong Hub plugin partner, provides an innovative threat detection and protection technology against the most advanced attacks from web, mobile and API channels. Cleafy is clientless and application-transparent, as it does not require any change to managed applications. Cleafy works by passively monitoring the application traffic between endpoints and backend services, continuously checking the application and communication integrity and assessing in real-time the risk associated to each session, even before the authentication phase. In order to do so, Cleafy can smoothly integrate into the application delivery infrastructure, typically at the ADC or API gateway level. Once threats are identified in real-time, adaptive threat responses can be automatically triggered, such as risk-based authentication or Cleafy dynamic application protection.

As applications become increasingly API-based, the adoption of API gateways is also increasing. In particular, Kong is a fully-fledged and platform-agnostic API gateway solution that is being adopted by leading organizations to enable high volume and low latency. Kong technology has built a solid reputation for being fast, powerful, and stable in supporting core API management requirements, such as routing, rate limiting and authentication. Moreover, Kong provides a plugin-based environment (see which allows third-party vendors to easily develop integrations and extend Kong capabilities.

The “Cleafy plugin for Kong” allows customers to easily integrate Cleafy threat detection and protection in any Kong-powered architecture and thus protect their services and end-users leveraging Kong as integration point for Cleafy. As described here above, in order for Cleafy to be able to verify the integrity of the application end-to-end, Cleafy needs to analyse in real-time all application requests and responses between endpoints and the Kong API gateway. It’s worth noticing that the ability to extend Kong functionality using the Lua language made developing the Cleafy plugin for Kong quite easy.

Integrating Kong with Cleafy

The following figure shows the high-level architecture of the Cleafy plugin for Kong. 

Fig 1: Cleafy high-level integration architecture with Kong

All interactions between endpoints and the backend application service are intercepted by the Cleafy plugin for Kong, thus allowing Cleafy to analyse them. 

Basically, the Cleafy plugin for Kong is made by two main components:


  • Response Interceptor: This component is responsible for grabbing each HTTP response served by the application server. Each response is collected and proxied to the original endpoint which originated the corresponding request after instrumenting it so as to be able to (asynchronously) receive a copy of the DOM/API body, once received and executed by the endpoint.


  • Message Dispatcher: Each intercepted response is collected and sent to the Cleafy engine. To accomplish this, the dispatcher builds a message that contains the body of each HTTP response and some additional information, including both HTTP request and HTTP response headers.

As soon as Cleafy receives the copy of the response from the endpoint, an integrity check is performed with respect to the original response and any difference is automatically extracted. Such differences may represent malicious code injected on the endpoint or in the communication, thus highlighting potential threats.

Once the Cleafy plugin for Kong is installed and properly configured, no additional configuration is required in order to integrate Cleafy with Kong and have Cleafy ingest and analyse traffic passing through the Kong API gateway. 

The following figure shows how sessions are displayed in the Cleafy web console, with a risk score associated to each event corresponding to a Web/API request issued by the endpoint. Cleafy also provides a comprehensive set of APIs to enable other solutions to take advantage of Cleafy collected and generated information, including risk score, threat evidence and classification.

Fig 2: Cleafy web console displaying sessions with associated real-time risk score.


The “Cleafy plugin for Kong” allows customers to easily integrate Cleafy threat detection and protection in any Kong-powered architecture and thus protect their services and end-users leveraging Kong as an integration point for Cleafy.

Kong’s plugin-based environment allows third-party vendors to easily develop integrations and extend Kong capabilities with additional functionalities such as authentication, traffic control, logging, analytics and monitoring, transformations, and security-related features (such as Cleafy). 

The Kong plugin development environment and the Plugin Development Kit introduced in Kong since version 0.14 is very well documented and easy to extend.

Share Post: