If the connection from clients to your API gateway isn't encrypted, all messages you send and receive are out in the open for all to read. In looking for a way in, attackers will make use of all features of an API, even the undocumented ones; security by obscurity is not a realistic defense measure.
By definition, APIs provide programmatic access to your application, making them a large attack vector for malicious actors. Brute force attacks can be used to discover login credentials, giving attackers access to a user's account and a platform from which to seek out more vulnerabilities. By including invalid content in an API request, malicious code can be injected directly into a system; SQL injection and cross-site scripting are the best known forms of this attack. Denial of service and distributed denial of service attacks can be used to take an application offline by hitting it with more requests than it can handle and consuming all its resources.
An API gateway decouples the backend microservices from the public interface of your application, providing a central access point for your APIs. While this simplifies access to the application for clients, it also provides a central platform for implementing security best practices, applying them consistently to all your APIs.
Whether you've inherited an existing API gateway or you're conducting a security audit of your existing setup, one of the first items on your list should be to ensure all communications between the API gateway and clients are sent over HTTPS, even if authentication is not required. For content that should be restricted to logged in users, a reliable, secure authentication method is essential. This includes following API authentication best practices to make it much harder for attackers to impersonate a valid user by discovering their username and password. Both of these features can be implemented at the API gateway level, rather than on the individual microservices. This avoids duplication of effort for developers and ensures a consistent approach across your application.
When defending against other types of threat, such as denial of service, brute force and injection, an API gateway offers an additional line of defense. While injection attacks can be guarded against with server-side and client-side validation on the data being sent, a regex check at the API gateway can prevent malicious code reaching the server side. Rate limiting, request/response size limiting and throttling can be used not just to manage spikes in activity but to defend against repeated calls from attackers or bots. Adding logging to an API gateway provides an audit trail for all calls made to your APIs, so you can verify what data has been accessed.
By combining the data available from these tools, it's possible to build up a picture of the traffic hitting your application at any one time. A web application firewall (WAF) analyzes this data in real time to identify potential threats. Malicious actors can be blocked automatically, with machine learning applied to constantly improve the service.
Of course, all of these measures can be compromised if an attacker gains admin access to your API gateway. The Kong API Gateway provides a fully-secured, RBAC-controlled Admin API that can be additionally secured against unauthorized use with network layer access restrictions, specified IP ranges for access from outside the network and fine-grained access control by using Kong as a proxy to access its own API.
As well as the security measures discussed above, you can further improve the security of an API gateway by factoring this into the design phase. When building an API gateway, consider which endpoints need to be exposed and to whom.
Many API gateways fall into the trap of exposing too much information and relying on the client to filter out any unnecessary data. Those extra details can be gold dust in the wrong hands, providing insight into your application architecture with verbose stack traces or even giving access to data that should not be available. Designing endpoints and error codes to meet the intended use cases but no more than that avoids too much information being exposed.
In a similar vein, the HTTP headers included in a response from a REST API can include information about the server and platform which can be used to exploit the system. By applying a transformation to a response at the API gateway, you can sanitize the outbound data to send only what is needed.
If your application has multiple different use cases, such as mobile apps, IoT devices and integration with internal systems, consider creating separate API gateways for each one. This avoids exposing endpoints that are only intended for internal use, for example, to the wider world. To prevent unauthorized access, an API gateway for internal applications can be restricted to your organization's network or operate a whitelist of authorized clients.
Finally, it's essential to keep track of your APIs: ensure you remove any APIs that are no longer in use and deprecate old versions which do not include new security measures implemented at the application level. Managing your APIs through an API gateway gives you oversight of all your APIs and the ability to measure and analyze their usage.
Ever wonder how Netflix streams to millions of users without crashing? Or how Amazon powers billions of transactions daily? The secret sauce behind these scalable, resilient behemoths is microservices architecture. If you're a developer or architect
In this article, which is based on my talk at VueConf Toronto 2023, we'll explore how to harness the power of Vue.js and micro frontends to create scalable, modular architectures that prioritize the developer experience. We'll unveil practical strate
Kong customers include some of the most forward-thinking, tech-savvy organizations in the world. And while we’re proud to help them innovate through traditional APIs, the reality is that their ambitions don’t stop there. Increasingly, our customers a
In the SaaS world, providers must offer tenant isolations for their customers and their data. This is a key requirement when offering services at scale. At Kong, we've invested a lot of time to provide a scalable and seamless approach for developers
Open source software has become an indispensable component of modern software development. With its easy accessibility, it offers numerous benefits such as cost savings, flexibility, and collaborative innovation. Since the use of open source componen
If you take a step back and think about today’s software development landscape, you could argue that documentation is just as important as the code itself. That’s because traditional documentation workflows — where documentation is manually updat
As cybersecurity takes the main stage, organizations face a significant challenge: how do you strike a balance between maintaining a high level of security and ensuring employees have enough data access to perform their jobs properly? Role-based ac
