HTTP/2 + gRPC and protobuf
Today many digital transformation and DevOps teams have been tasked with building applications that will enhance their customer’s digital experience. The goal, to make the user experience smoother, faster and less impeded by transactional and security controls, is a core focus for digital experience leaders. At the forefront of this are mobile devices and Single Page Applications (SPAs) that are being built to provide richer, highly personalized, dynamic content to end users. As a major provider of cloud based Application Security and Content Delivery Network (CDN) solutions Imperva works closely with some of the largest enterprises globally. Many of our customers have embarked on journeys to transform their digital presence with the aim to drastically improve their customer’s online experience. As part of their application transformation initiatives our customers not only depend on Imperva to provide strong application security controls but also to speed up the delivery of their applications using the static and dynamic content acceleration capabilities of Imperva’s CDN.
The need for fast and secure delivery of highly personalized dynamic content
Businesses today hold far more data about their customers than ever before. To fulfil a customer’s digital transaction and online experience expectations, applications are presenting a much higher percentage of highly personalized dynamic content to their users. This content often contains data that is sensitive in nature so should not be cached by a CDN at the network edge. Bank account details, first and last name, address details, Tax File Numbers and photo images used for Identification purposes are just some examples of sensitive and personal application data.
A mobile device running a SPA typically makes many calls to API endpoints that deliver widget based results for displaying back to the user. Speeding up delivery of these widget based results is key to a super-fast application experience. Imperva’s CDN is geared up to accelerate the delivery of these widgets which are essentially dynamic objects. API calls usually broker requests to a database so if these are not secured appropriately it could lead to data compromise and ultimately a data breach. Imperva provides API security as part of its overall cloud application security stack to counter this potential risk. It also provides comprehensive Database Activity Monitoring solutions to provide visibility and protection against misappropriated data access and help meet compliance and regulatory obligations.
Providing a rich, personalized, fast and secure mobile device application experience tends to help build trust with customers. A happy, trusting, customer is one who will return for further transactions and interaction with your online business. This in turn helps drive increased revenue from your customer base.
Traditional CDN vendors that focus on caching static content at the network edge so that it can be served up fast are usually not set up to deliver the same consistently fast experience for dynamic content. Part of the reason for this is that they don’t typically support high performance API protocols such as gRPC or transport HTTP/2 requests all the way to the origin server. This is where Imperva differs greatly from many other Cloud Application Security and CDN vendors. Additionally, Imperva has a tightly integrated global network mesh of Data Centers (POPs). The Software Defined Network (SDN) mesh that forms the backbone of Imperva’s global CDN solution dynamically optimizes the path between the requester of dynamic content (SPA) and the origin server that needs to be reached in order to serve the content. Results show that routing user connections across Imperva’s global SDN mesh produces a faster, more consistent and shorter network path with less average number of hops than if the request was routed over the Internet to the customer’s origin server. Based on Cedexis (an industry recognized CDN performance benchmark and monitoring platform) Imperva ranks in the top 5 fastest CDN providers for delivery of dynamic object content.
With the increased adoption of SPAs and mobile devices, CDN solutions and technologies that speed up the delivery of dynamic content from your application servers to a user’s device is more important than ever before.
When building high performance SPAs it’s exceptionally important to choose the right architecture and underlying protocols that are complementary to delivering dynamic content in the fastest most efficient way. This is the underlying foundation to providing a heightened overall user experience and will help win new customers and retain existing ones.
A High performance application architecture (HTTP/2 + gRPC and protobuf)
Digital experience and transformation teams are investing in high performance application architectures that utilize newer highly efficient protocols and technologies to deliver a faster digital experience to their customers. This is paramount to overcoming the performance bottlenecks that surround delivering rich dynamic content via traditional web applications. In this regard Imperva has seen a number of its large enterprise customers choose to develop native HTTP/2 applications to reap the performance benefits that come with using this protocol, particularly with SPAs and mobile devices. Binary framing/encoding, header compression, server-push and connection multiplexing are all part of HTTP/2. Combined, these HTTP/2 features are capable of providing speed gains of 2 times or greater than its predecessor HTTP/1.1.
Pairing HTTP/2 with an API framework such as Google’s gRPC protocol provides a powerful, highly efficient and flexible mechanism for executing commands and exchanging data between a client (such as a SPA) and an application service using gRPC API endpoints.
The challenge is how do you secure gRPC based applications from the ever evolving application and API cyber threat landscape?
Securing HTTP/2 and gRPC based applications
So you developed a high performance HTTP/2 application that uses gRPC as its API framework but now your security team is trying to work out how to secure it. As with a great deal of application development, security often gets left by the way side and gets treated as an afterthought.
In May 2020 Imperva released full support for transporting and securing gRPC based applications over its highly optimized CDN. At the time of writing this article no major cloud Application Security and CDN service provider (other than Imperva) had the ability to transport and also securely inspect gRPC application traffic for vulnerabilities and threats. This stems from the underlying fact most other CDN providers don’t have the ability to communicate using HTTP/2 between their network edge (POP) and an application origin server that is running a native HTTP/2 application. This is of course a basic requirement for gRPC to work. Many providers will say they support HTTP/2, but what do they really mean by this? Well they only support this protocol between the client (browser) and their network edge (POP). Between their network edge and your origin servers they downgrade and revert to HTTP/1.1.
Sure between the client and the edge there is the ability to use HTTP/2 to perform some content delivery optimizations. Imperva provides this capability to enhance the performance of HTTP/1.1 applications. But because other vendors don’t provide HTTP/2 all the way through to the application server itself the full performance benefits of native HTTP/2 applications are not able to be realized and API protocols like gRPC simply won’t work.
The good news for digital transformation, DevOps and security teams is that Imperva’s Cloud Application Security & Delivery Platform (formally Incapsula) provides edge to origin HTTP/2 and gRPC support. This allows native HTTP/2 and gRPC applications to take full advantage of all the HTTP/2 performance benefits totally leaving HTTP/1.1 in the garden shed. With this also comes Imperva’s industry first and leading ability to perform full security inspection of gRPC traffic. This ensures that the same industry leading WAF policies and signatures Imperva uses to protect traditional HTTP/1.1 applications from vulnerability exposures also fully apply to gRPC based applications. This provides your gRPC applications with instant protection against all the OWASP threats plus many others. For security teams looking to ensure there is security control consistency across all applications in their environment this is exceptionally important.
Using the Imperva Cloud Application Security & Delivery Platform (formally Incapsula) allows native HTTP/2 and gRPC application developers to release their applications knowing that they are secured and protected by industry leading WAF security controls. In addition Digital Experience teams can rest assured that Imperva’s CDN routing optimization and edge based caching technology is accelerating the delivery of content to users.