The latest news and announcements about Kong, our products, and our ecosystem, as well as voices from across our community.
From smart homes to wearable devices to connected cars, the Internet of Things (IoT) is bringing about a new era of hyper-connectivity. Experts expect investments in the IoT ecosystem to rise above $1 trillion in 2026 — with no signs of slowing down. Application programming interfaces (APIs) are…
[](/blog/enterprise/iot-api-security-guide)
In a previous blog post , we discussed the prevalence of bearer tokens (or access tokens) to restrict access to protected resources, the challenges the sheer nature of bearer tokens present, and available mitigations. To recap, presenting a bearer token is proof enough of an authorization grant to…
[](/blog/engineering/demonstrating-proof-of-possession-dpop-preventing-illegal-access-of-apis)
OAuth 2.0 is the current gold standard for secure delegated authorization. The reason is simple: OAuth puts control back in the hands of the users. It enables users to securely grant access to their resources without having to share passwords with third-party applications. Hence, it's one of the…
[](/blog/engineering/3-extensions-to-improve-security)
Two of the main tenets of Zero Trust are encryption between services and managing the connections each service is allowed to use. Achieving this generally falls to running a service mesh in a Kubernetes cluster. Refactoring applications to run properly in Kubernetes takes time and considerable…
[](/blog/engineering/zero-trust-on-vms-with-universal-mesh)
In the age of surgical robots, smart refrigerators, self-driving vehicles, and unmanned aerial vehicles, connectivity undoubtedly is a foundational block for our modern world. As we move further into the 2020s, this connectivity has expanded to encompass emerging technologies like 5G networks ,…
[](/blog/enterprise/5-architectural-patterns-for-securing-connectivity-at-scale)
"The whole is more than the sum of its parts." Aristotle is credited with this quote, and it's true in the world of data. Legacy systems typically approached their role in a limited manner. Each system was intended to be used by a certain user set and handle well-defined processes and associated…
[](/blog/engineering/api-gateway-federation)
In the modern IT stack, API gateways act as the first line of defense against attacks on backend services by enforcing authentication/authorization policies and validating and transforming requests. When backend services are protected with a token-based approach, client applications must obtain an…
[](/blog/engineering/zero-trust-oauth-2-0-mtls-client-authentication)
With digital transformation shifting networks into the cloud — from remote workforces to online banking — cyberattacks are growing more prevalent and sophisticated. Legacy security models like VPNs and perimeter-based firewalls are proving inadequate in addressing modern threats because perimeters…
[](/blog/engineering/microsegmentation-and-zero-trust-security)
The first release of Kong Mesh for 2024 (version 2.6) brings many new features that ease day 0 for new starters of service mesh reinforcing our goal of making a simple yet powerful product! In this blog, we'll break down these new features and provide tailored use cases to illustrate how Kong Mesh…
[](/blog/product-releases/kong-mesh-2-6)
With its flexible querying capabilities, GraphQL makes it easy to combine data from multiple sources into a single endpoint. GraphQL and API management go hand in hand to build next-generation API platforms. However, GraphQL's features can also introduce security risks if not properly…
[](/blog/engineering/graphql-security-vulnerabilities)This post is part of a series on becoming a secure API-first company. For a deeper dive, check out the eBook Leading Digital Transformation: Best Practices for Becoming a Secure API-First Company. As APIs have become mission-critical , securing them against threats is crucial. APIs are an…
[](/blog/engineering/layered-security-for-managing-apis)
In token-based architecture, tokens represent the client’s entitlement to access protected resources. Access tokens (or bearer tokens as they're commonly known) are issued by authorization servers after successful user authentication. The tokens are passed as credentials in the request to the…
[](/blog/engineering/mtls-sender-constrained-tokens)
Kong Gateway Enterprise 3.5 is packed with security features to support the use cases demanded by our enterprise customers through major improvements in Secrets Management integrations and our Open-ID Connect (OIDC) plugin. Additionally, we’ve added key security updates for a few of our AWS…
[](/blog/product-releases/kong-gateway-enterprise-3-5)
At Kong, the security and reliability of our products have always been paramount. In light of the recent discovery of the Novel HTTP/2 ‘Rapid Reset’ DDoS attack ( CVE-2023-44487 ), we have taken steps to proactively address potential issues. Today we’re providing guidance on how our users can best…
[](/blog/product-releases/novel-http2-rapid-reset-ddos-vulnerability-update)In today’s modern digital environment, more organizations are relying on remote work than ever before. While this shift has given companies unprecedented flexibility when it comes to deploying their workforce, it has also presented challenges in keeping their devices, operations, and personnel…
[](/blog/engineering/ztna-vs-vpns)Secure your AI infrastructure with prompt guards, PII sanitization, and centralized governance. Control LLM costs with token-based rate limiting and semantic routing across providers.