Implementation and Support
      Back to home
      1. Approov Mobile Security Knowledge Base
      2. Implementation and Support

      How to Integrate Approov With F5 BIG-IP, F5 Distributed Cloud API Security, and NGINX App Protect WAF

      The mobile app visibility and protection provided by Approov enhances the backend security already deployed in F5 application security, providing a reliable way to stop any mobile bot traffic. This article shows step-by-step how to do it.

      Introduction

      Backend app sec gives you web bot detection and behavioral detection, and Approov’s expertise in mobile API security gives you app and device visibility and attestation. In hybrid environments where users interact with both a web app and a mobile app, using backend app security for web protection and Approov for mobile API security ensures that bots cannot simply shift from web to mobile APIs.

      Approov can work with any backend security solution because the result of the app and device attestation analysis is captured in a standard JWT token, integrated into every request. This makes the backend API checking straightforward since almost all backend app security solutions (and any languages and technologies) support JWT checking.

      All you need to do is integrate the lightweight platform-specific Approov SDK with your app and then start checking Approov tokens. For the mobile app integration, there are SDK quickstarts available for native or cross-platform apps on iOS, Android and HarmonyOS.

      This layered approach covers multiple entry points while isolating security strategies based on interaction type, ensuring more precise control over legitimate and illegitimate access.

      For backend integration, again a range of  back end quickstarts are available. 

      If there isn't already a quickstart for an integration you need, we provide other tools to make it easy for you to do it yourself or you can talk to us about what you need.

      This article gives a step by step guide to integration with F5 BIG-IP, F5 Distributed Cloud API Security, and NGINX App Protect WAF.

      Step by Step Guide to Integrating Approov with BIG-IP, F5 Distributed Cloud API Security, and NGINX App Protect WAF

      F5 have three distinct solutions which address API security: BIG-IP, F5 Distributed Cloud API Security, and NGINX App Protect WAF. If you are reading this, you certainly are a user of one of the F5 security solutions based on your particular use-case. The integration approach will differ based on the solution you have deployed.

      Which Should You Choose?

      Scenario

      Best Option

      Global mobile app with public APIs

      F5 Distributed Cloud — fast, secure, and scalable JWT checks with zero infrastructure overhead.

      On-prem enterprise with strict network/security policies

      BIG-IP AWAF — integrate Approov using iRules and sideband JWT validation without moving workloads.

      DevOps teams using Kubernetes or edge microservices

      NGINX + Lua — customizable and efficient JWT validation in container-native stacks.

      Integrating Approov token checking with F5's API security solutions (including BIG-IP, F5 Distributed Cloud API Security, and NGINX App Protect WAF) involves configuring your F5 infrastructure to enforce validation of Approov’s short-lived, signed JWT tokens. The goal is to ensure that only legitimate mobile apps—verified by Approov—can access protected APIs.

      Below is a detailed guide for integrating Approov token checking into the three major F5 platforms.

      Integration Objective

      Block unauthorized API traffic by validating the Approov-Token JWT issued only to untampered, legitimate mobile apps via the Approov SDK.

      Integration Options by F5 Product

      1. F5 BIG-IP Advanced WAF (LTM + ASM / AWAF)

      Steps:

      • Extract and Validate Approov Token:
      Create an iRule to:
      • Inspect incoming HTTP headers for Approov-Token.
      • Reject requests if missing or malformed.
      • Optionally validate signature using a sideband service.
      Sample iRule (basic token presence check):

      tcl

      CopyEdit

      when HTTP_REQUEST {

          if { [HTTP::header exists "Approov-Token"] } {

              set jwt_token [HTTP::header "Approov-Token"]

              if { ! [regexp {^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$} $jwt_token] } {

                  HTTP::respond 403 content "Invalid token format"

              }

          } else {

              HTTP::respond 403 content "Missing Approov token"

          }

      }

      1. (Optional) Sideband Token Verification:

        • Call an internal microservice (e.g., hosted in AWS or on-prem) to verify the Approov JWT using the shared secret.
        • Based on response (200 OK vs. 403), allow or reject the request.
        • Apply iRule to a Virtual Server protecting your API.

      2. F5 Distributed Cloud (XC) API Security Gateway


      This cloud-native platform is ideal for API security and JWT handling.

      Steps:

      1. Configure JWT Validation in HTTP Load Balancer or App Firewall:
      • Navigate to your HTTP Load Balancer configuration in XC Console.

      • Under Request Transformation:

        • Enable JWT validation.
        • Specify:
          • Header: Approov-Token
          • Signing Algorithm: HS256
          • Shared secret from Approov account (entered securely)
          • Required claims (e.g., exp, sub, did)

      • Set rejection behavior for:
        • Missing token
        • Invalid or expired signature
        • Any other failure

      • (Optional) Create per-route rules to enforce Approov validation only on critical APIs.

      • Monitor failed validations via F5’s observability and logging tools.

      3. F5 NGINX (Plus or with App Protect WAF)

      Ideal for lightweight or edge gateway use cases.

      Steps:

      1. Use NGINX Lua + JWT Verification:
      1. Add the following dependencies:

        • lua-resty-jwt

        • lua-resty-hmac (for HS256)

        • lua-resty-string

      2. Sample Lua JWT Verification (simplified):

      lua

      CopyEdit

      local jwt = require "resty.jwt"

      local token = ngx.req.get_headers()["Approov-Token"]


      if not token then

          return ngx.exit(ngx.HTTP_FORBIDDEN)

      end


      local jwt_obj = jwt:verify("YOUR_SHARED_SECRET", token)

      if not jwt_obj.verified then

          return ngx.exit(ngx.HTTP_FORBIDDEN)

      end


      -- Optional: Check exp, sub, did claims


      1. Load this into your NGINX configuration via:

      nginx

      CopyEdit

      location /api/ {

          access_by_lua_file /etc/nginx/lua/verify_approov.lua;

          proxy_pass http://your_backend;

      }


      1. (Optional) Use NGINX App Protect WAF to layer in bot protection and DoS mitigation alongside Approov.

      Logging & Monitoring

      • Enable detailed logging on F5 (LTM logs, XC observability, or NGINX logs) for:
        • Token validation failures
        • Missing or expired tokens
        • Suspicious traffic sources
      Use Approov dashboard to correlate token rejection events with mobile app/device integrity issues (e.g., root/jailbreak detection).

      Bonus: Secure Token Transport

      • Ensure TLS with dynamic pinning (Approov handles this in the SDK).
      • Avoid caching or logging the Approov-Token.

      Summary Table


      Component

      Method

      BIG-IP AWAF

      iRule + optional sideband token check

      F5 Distributed Cloud

      Native JWT verification in App Gateway

      NGINX (Plus/App Protect)

      Lua-based JWT validation in access_by_lua

      Token Format

      JWT with HS256 (or optional asymmetric key)

      Header Name

      Approov-Token

      Key Storage

      Secure config / secrets manager