IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [api-gateway]

22 questions
13
votes
2 answers

Would a reverse-proxy authentication server be a secure setup?

I work at a small consultancy and we often make web apps for our clients. One part of the web app that is often repetitive to write is the authentication system. In a lot of our web apps we would like to support OAuth login from the various…
illabout
  • 233
  • 1
  • 2
  • 5
5
votes
4 answers

Security considerations of consuming public API

I have a website and i want to consume public API from third party services such as Zoopla, weather etc. I want to ensure i do not consume malicious code/malware from the data retrieved from the 3rd party services. What are the security checks/best…
Architect
  • 631
  • 1
  • 6
  • 9
4
votes
1 answer

How to use Oauth2 and JWT to secure microservice architecture?

We have been investigating proper mechanism to secure microservises that we are going to provide as API endpoints via API manager application. Fundamentally we need stateless security mechanism like JWT to secure each API endpoint. We thought to…
Nuwan Attanayake
  • 141
  • 1
  • 3
3
votes
2 answers

What's the difference between an API gateway and XML gateway?

I'm studying for the CCSP exam and am confused on the difference between an "API gateway" and "XML gateway". The training material I have states: API gateways are also an important part of a layered security model. They can be used to impose…
Mike B
  • 3,336
  • 4
  • 29
  • 39
3
votes
1 answer

OAuth2 Implicit Flow: Possible Attack Vectors of Refreshing Token via CORS?

We are currently implementing a Single Page Application (Angular2) and thus have run into the standard "how do we secure our backend API" problem. The standard solution to this apparently to use the OAuth2 Implicit Grant Flow, which is all fine. We…
donmartin
  • 166
  • 7
3
votes
1 answer

What security controls should be in the API Gateway and what in the webservices?

Nowadays webservices are used a lot and a "new" kind of product is in the streets: the API Gateway. This solucion is published to Internet, receives the requests for webservices from external parties and mobile apps, do some security…
Eloy Roldán Paredes
  • 1,507
  • 12
  • 25
2
votes
0 answers

Where should rate limit be applied?

I would like to hear the best recommendations about where to apply rate limit on APIs. We use k8s (microservices) with an ingress controller that is behind an API gateway, that is behind a firewall. The ingress controller and API gateway are on…
Felipe Emerim
  • 131
  • 1
2
votes
1 answer

Can we prevent DDoS or spam form submission with client authentication?

There is a public query form in my web app, and architecture team asking to authenticate the web app with OAuth2 like this, but I don't believe it will be of any help. I believe best way to protect is by reCAPTCHA. Can we prevent DDoS or spam form…
smali
  • 143
  • 1
  • 7
2
votes
1 answer

How I can enumerate all endpoints of an API?

Let's say I have an API api.example.com and I want to test all endpoints. I don't have access to documentation, how I can enumerate all the endpoints?
john
  • 139
  • 2
  • 5
2
votes
0 answers

Concerns when passing all OPTIONS requests through authorization proxy gateway

I have a React based application which uses RESTful services on backend distributed on private network. To communicate with such services using AJAX, client application sends all its request through proxy gateway. Something like this: My…
Kunok
  • 121
  • 3
1
vote
0 answers

Generate new AccessToken each time user update his Information

im building a PWA app , where i implemented jwt token to auth users. i have 2 main architecture problems ,but let me introduce you what im building . i'm Building application that is all about dog lovers , this application is to post lost dogs, post…
Natanel Soussana
  • 11
  • 1
1
vote
0 answers

Integrating web applications into our payment API. How to ensure the integrity of the payment process?

We will be creating a brand new application soon that handles online payments for our firm. We now have several different web applications (in different technologies) running that will all be integrated into our online payment system and we are…
Steven Lemmens
  • 111
  • 2
1
vote
0 answers

Security aspect in the API gateway area

I am currently planning security testing procedures within an API gateway. We want to define in advance what we expect to be covered on the security level. Scanning REST APIs (see http://docs.w3af.org/en/latest/scan-rest-apis.html) SQL…
Mornon
  • 131
  • 6
0
votes
1 answer

Should resource servers behind an API gateway independently verify authentication claims?

Is it considered OK to "authenticate" via unverifiable plain-string headers simply asserting a principal name (User-ID: 12345), as long as this is behind an API gateway that does verify authentication? In addition to their basic purpose as a reverse…
Joshua Honig
  • 103
  • 3
0
votes
0 answers

Threats for static webpage or read-only APIs

We have requirement for webpage (similar to this) that need to be available to anonymous public user. The webpage is static and contains spatial information that are updated by backend server. There are also several ways of retrieving this…
Radhika K
  • 1
1
2