1. Log the critical parameters: Client IP, Timestamp etc. for monitoring and analytics
2. Authentication/Authorization of requests
3. Rate Limiter
4. Any Domain/customer specific requestictions
5. Cached entry? Return from cache
6. Add Gateway security Header
7. Add response headers for OWASP
8. Avoid caching
In general below are some of the main features of API gateways
Traffic Routing
Load balancing
Rate Limiting
Caching
Authentication and Authorization
Preventing unnecessary requests from landing on application servers
Central Logging
Consolidated security audit
Some header things below.
These are below
# OWASP Secure Headers https://owasp.org/www-project-secure-headers/
modified_headers['X-XSS-Protection'] = '1; mode=block'
modified_headers['X-Frame-Options'] = 'DENY'
modified_headers['Strict-Transport-Security'] = 'max-age=63072000; includeSubDomains'
modified_headers['X-Content-Type-Options'] = 'nosniff'
# Avoid Caching Tokens
modified_headers['Expires'] = '0'
modified_headers['Cache-Control'] = 'no-cache, no-store, must-revalidate'
modified_headers['Pragma'] = 'no-cache'
No comments:
Post a Comment