Collaborate Disseminate
Is this a good approach to preventing the leakage of secrets?
Say I had a simple setup where Alice holds the secret to access Bob, and Charlie has basic shell access to Alice (with a different auth method). Charlie echoing "$BOB_SECRE… Continue reading Intercept calls to authenticated 3rd-party APIs, to automatically add auth keys?
We’re doing a PoC on a new API Security/WAF tool, and we’re planning to place this solution out-of-ban rather than inline. So traffic wont go through the solution and we’ll send the mirrored traffic to analyze in the new solution.
My quest… Continue reading Can API Security/WAF tools decrypt "mirrored" traffic?
I’m toying with the idea of terminating JWT after gateway ingress, and looking to see what sort of attack patterns would result.
Prerequisites:
Communication between services would use mTLS to encrypt and verify traffic
The target platfor… Continue reading Decorating headers after JWT authentication
We are developing a system that comprises of
Component A: Client Application
Component B: Gateway API
Component C: Backend Web API providing functionality (will be a set of
microservices C1, C2 etc)
All components are registered applicat… Continue reading Authorizing Access using AD with an API Gateway
I’m building a public HTTP JSON API using API Gateway with ID token authentication.
I now need a server that acts on behalf of users. Users message that server using a third party (think Signal or WhatsApp) and the server calls some API me… Continue reading OAuth2/Cognito: Let trusted server act on behalf of user
I have a old Spring Cloud gateway working with Keyclock server. I don’t have Web UI for login because the project is a Rest API. OAuth 2.0 is used with Grant type password.
I want to migrate to OAuth 2.1 but Grant type password is deprecat… Continue reading Migrate OAuth 2.0 to OAuth 2.1
Is it considered OK to "authenticate" via unverifiable plain-string headers simply asserting a principal name (User-ID: 12345), as long as this is behind an API gateway that does verify authentication?
In addition to their basic … Continue reading Should resource servers behind an API gateway independently verify authentication claims?
We have requirement for webpage (similar to this) that need to be available to anonymous public user. The webpage is static and contains spatial information that are updated by backend server. There are also several ways of retrieving this… Continue reading Threats for static webpage or read-only APIs
I would like to hear the best recommendations about where to apply rate limit on APIs. We use k8s (microservices) with an ingress controller that is behind an API gateway, that is behind a firewall.
The ingress controller and API gateway a… Continue reading Where should rate limit be applied?
If an api in aws api-gateway has a rate-limiting usage plan and a Web ACL WAF rate rule, which will be applied first?
Does a WAF rate rule provide additional protection that kicks in before the usage plan?
Continue reading aws api gateway – usage plan rate limiting vs WAF rate rule [closed]