We released an updated version of our API Protection toolset with several optimizations.
Built-in Compression
The biggest improvement is the automatic, platform-specific compression of encrypted data. In previous versions, encrypted request/response payloads were sent without compression, and reverse proxy/CDN servers (e.g., Nginx or Cloudflare) were unable to apply compression.
In the new version, we added a mechanism that automatically compresses payloads larger than 1 KB before encryption. This works both ways: server-to-client and client-to-server. While backend applications are now capable of handling Gzip, Brotli, and Zstandard compressed content with encryption, web applications support only Gzip via the Compression Streams API built into all modern browsers.
New Headers
In the new version, we deprecated x-crypto headers in favor of the new x-encoding set. If you host the application on-premise, ensure your CORS policies are updated. These new headers significantly improve the encryption process handling.
Encryption Interoperability
The new version officially supports encryption interoperability with third-party systems. Enterprise customers can now build integrations using the API with payload encryption for sensitive data transfer (e.g., HIPAA/PHI, PCI-DSS). While there are no technical limitations for any subscription to use the encrypted API, enterprise customers are provided with additional guides and examples.
Availability
API Protection is available in backend and web applications (current generation only). API Protection for Android and iOS will be added in Q1 2025 with the release of the next-generation mobile application designer (v4).