Open in app

Sign in

Write

Sign in

There is no perfect solution and for sure API Gateways are no exception.
1

Houcem Berrayana

API Expert
2 min readMay 2, 2023

--

I agree there is no silver bullet but there are issues that need to be addressed for security purposes.

And some of us are addressing them rather than try to come up with excuses.

So I will address some of the excuses you made...

First a 'redirect' is not the same as a 'forward/internal redirect'; a redirect drops a thread, goes outside the DMZ and the comes back in via the router creating a new request/response EVERY TIME. An internal redirect/forward uses the existing request/response/token to talk to other endpoints within the api application thus keeping communication internal and thus it is far more secure and several degrees faster.

Second, your arguments all have issues/fallacies:

- Rate limiting/Data limiting has the exact same issue as pointed out in the article. If I do an internal BATCH job for 100 api call, the api gateway will only count 1 of those calls... the first one; all the others are internally redirected (unless you did it wrong).

- api catalogs do not check statelessness rules (They also have nothing to do with what we are talking about). Still, they rely upon tools like OpenAPI/RAML/API Blueprint which were ORIGINALLY supposed to be the server side state(or rules) that we checked the stateless request/response against. Unfortunately along the way, OpenAPI decided against that. Here is a direct quote from the lead of OpenAPI stating that it is NOT a shared document and does not support RBAC/ABAC : https://flic.kr/p/2keNR8v

- again, see above where OpenAPI lead stated they do not support RBAC/ABAC and that the document is a static document that cannot be synchronized or shared

- Version management / subscription management are unrelated. These have NOTHING to do with what we are talking about

OpenAPI sprung from Swagger which was focused on DOCUMENTATION/TESTING. Security and backend rules were NEVER a concern as I brought these up to Tony Tam PRIOR around Swagger's launch and he shrugged them off.

Since then he has had time to get them in and they never have and have rejected them outright.

A good example of a synchronizable API server side rule can be found here: https://github.com/Beapi-io/spring-boot-starter-beapi-config/blob/main/.iostate/User.json

--

--

API Expert
API Expert

Written by API Expert

291 Followers
5 Following

Owen Rubel is the 'API Expert'. He is an Original Amazon team member, Creator of API Chaining(R), Leader in API Automation

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams