Questions tagged [api-gateway]
22 questions
13
votes
2 answers
Would a reverse-proxy authentication server be a secure setup?
I work at a small consultancy and we often make web apps for our clients. One part of the web app that is often repetitive to write is the authentication system. In a lot of our web apps we would like to support OAuth login from the various…
illabout
- 233
- 1
- 2
- 5
5
votes
4 answers
Security considerations of consuming public API
I have a website and i want to consume public API from third party services such as Zoopla, weather etc.
I want to ensure i do not consume malicious code/malware from the data retrieved from the 3rd party services.
What are the security checks/best…
Architect
- 631
- 1
- 6
- 9
4
votes
1 answer
How to use Oauth2 and JWT to secure microservice architecture?
We have been investigating proper mechanism to secure microservises that we are going to provide as API endpoints via API manager application.
Fundamentally we need stateless security mechanism like JWT to secure each API endpoint.
We thought to…
Nuwan Attanayake
- 141
- 1
- 3
3
votes
2 answers
What's the difference between an API gateway and XML gateway?
I'm studying for the CCSP exam and am confused on the difference between an "API gateway" and "XML gateway". The training material I have states:
API gateways are also an important part of a layered security model.
They can be used to impose…
Mike B
- 3,336
- 4
- 29
- 39
3
votes
1 answer
OAuth2 Implicit Flow: Possible Attack Vectors of Refreshing Token via CORS?
We are currently implementing a Single Page Application (Angular2) and thus have run into the standard "how do we secure our backend API" problem.
The standard solution to this apparently to use the OAuth2 Implicit Grant Flow, which is all fine. We…
donmartin
- 166
- 7
3
votes
1 answer
What security controls should be in the API Gateway and what in the webservices?
Nowadays webservices are used a lot and a "new" kind of product is in the streets: the API Gateway. This solucion is published to Internet, receives the requests for webservices from external parties and mobile apps, do some security…
Eloy Roldán Paredes
- 1,507
- 12
- 25
2
votes
0 answers
Where should rate limit be applied?
I would like to hear the best recommendations about where to apply rate limit on APIs. We use k8s (microservices) with an ingress controller that is behind an API gateway, that is behind a firewall.
The ingress controller and API gateway are on…
Felipe Emerim
- 131
- 1
2
votes
1 answer
Can we prevent DDoS or spam form submission with client authentication?
There is a public query form in my web app, and architecture team asking to authenticate the web app with OAuth2 like this, but I don't believe it will be of any help.
I believe best way to protect is by reCAPTCHA.
Can we prevent DDoS or spam form…
smali
- 143
- 1
- 7
2
votes
1 answer
How I can enumerate all endpoints of an API?
Let's say I have an API api.example.com and I want to test all endpoints. I don't have access to documentation, how I can enumerate all the endpoints?
john
- 139
- 2
- 5
2
votes
0 answers
Concerns when passing all OPTIONS requests through authorization proxy gateway
I have a React based application which uses RESTful services on backend distributed on private network. To communicate with such services using AJAX, client application sends all its request through proxy gateway. Something like this:
My…
Kunok
- 121
- 3
1
vote
0 answers
Generate new AccessToken each time user update his Information
im building a PWA app , where i implemented jwt token to auth users.
i have 2 main architecture problems ,but let me introduce you what im building .
i'm Building application that is all about dog lovers , this application is to post lost dogs, post…
Natanel Soussana
- 11
- 1
1
vote
0 answers
Integrating web applications into our payment API. How to ensure the integrity of the payment process?
We will be creating a brand new application soon that handles online payments for our firm. We now have several different web applications (in different technologies) running that will all be integrated into our online payment system and we are…
Steven Lemmens
- 111
- 2
1
vote
0 answers
Security aspect in the API gateway area
I am currently planning security testing procedures within an API gateway. We want to define in advance what we expect to be covered on the security level.
Scanning REST APIs
(see http://docs.w3af.org/en/latest/scan-rest-apis.html)
SQL…
Mornon
- 131
- 6
0
votes
1 answer
Should resource servers behind an API gateway independently verify authentication claims?
Is it considered OK to "authenticate" via unverifiable plain-string headers simply asserting a principal name (User-ID: 12345), as long as this is behind an API gateway that does verify authentication?
In addition to their basic purpose as a reverse…
Joshua Honig
- 103
- 3
0
votes
0 answers
Threats for static webpage or read-only APIs
We have requirement for webpage (similar to this) that need to be available to anonymous public user. The webpage is static and contains spatial information that are updated by backend server. There are also several ways of retrieving this…