API Gateway for Security
Using API gateways as security perimeters: authentication, authorization, request validation, IP whitelisting, and WAF integration.
The API Gateway as a Security Perimeter
In a microservices architecture, every service exposing an HTTP endpoint is a potential attack surface. Managing authentication, rate limiting, TLS, and input validation in each service independently leads to duplication and inconsistency — the weakest service becomes the entry point for attackers. An API gateway centralizes these cross-cutting security concerns, acting as the single entry point for all external traffic. Products like AWS API Gateway, Kong, Nginx, Traefik, Apigee, and Cloudflare API Shield implement this pattern.
Core Security Functions at the Gateway
TLS Termination
The API gateway terminates the TLS connection from the client, decrypting traffic. Backend services receive plain HTTP (or re-encrypted internal TLS). This centralizes certificate management — you renew one certificate at the gateway rather than on every service instance. AWS Certificate Manager (ACM) and Let's Encrypt automate certificate provisioning and renewal. Internal traffic may use mTLS (mutual TLS) where both parties authenticate.
Authentication at the Gateway
The gateway validates credentials before forwarding requests. For JWT-based auth: extract the `Authorization: Bearer <token>` header, validate the signature using the authorization server's public key (fetched from the JWKS endpoint), verify `exp`, `iss`, and `aud` claims. If valid, forward the user ID and claims as trusted headers to backend services (e.g., `X-User-Id: 12345`, `X-User-Roles: admin`). Backend services trust these headers implicitly because they can only be set by the gateway.
Protect Internal Headers
If clients can set `X-User-Id` headers directly, they can impersonate any user. The API gateway MUST strip any client-supplied headers that match your internal trust headers before forwarding the request to backend services. This is a common misconfiguration that creates privilege escalation vulnerabilities.
Request Validation and Schema Enforcement
The gateway can validate incoming requests against an OpenAPI specification: reject requests with missing required fields, wrong data types, or payloads exceeding size limits. This blocks many injection attacks and malformed data before they reach your application. It also provides a clear contract that client developers can rely on. AWS API Gateway, Kong, and Apigee all support OpenAPI-based request validation natively.
Web Application Firewall (WAF)
A WAF operates at Layer 7 and inspects HTTP request content against rule sets to detect and block attacks. It is typically deployed in front of or integrated with the API gateway. The OWASP ModSecurity Core Rule Set (CRS) is the industry-standard open-source rule set, covering the OWASP Top 10. Managed WAF services like AWS WAF, Cloudflare WAF, and Imperva provide auto-updated rule sets and geofencing.
| Attack Type | WAF Rule Example | Without WAF Risk |
|---|---|---|
| SQL Injection | Block requests matching `'; DROP TABLE` | Database compromise |
| XSS | Block `<script>` tags in query params/body | Session hijacking |
| Path Traversal | Block `../` sequences in URLs | File system access |
| Rate-based DDoS | Block IPs exceeding N requests/minute | Service unavailability |
| Geo-blocking | Block traffic from prohibited countries | Compliance violations |
| Bot detection | Challenge requests missing human-like headers | Credential stuffing |
IP Allowlisting and Denylisting
IP allowlisting restricts API access to known IP ranges — essential for B2B integrations where a partner's systems have static IPs, or for admin APIs that should never be publicly accessible. IP denylisting blocks known malicious IPs, typically populated from threat intelligence feeds (e.g., IP ranges associated with Tor exit nodes, known botnets, or previous attackers). Both are easy to implement in the API gateway or WAF but have operational overhead: clients behind dynamic IPs or VPNs are blocked.
Interview Tip
In interviews, distinguish between what belongs at the gateway vs what belongs in services. The gateway handles: TLS termination, JWT validation, rate limiting, schema validation, WAF, and IP filtering. Services handle: business-logic authorization ('can Alice edit this specific order?'), domain-specific validation, and data access control. Showing this clear separation of concerns demonstrates architectural maturity.
API Key Management
For public APIs, API keys are a common authentication mechanism. The gateway validates the key on every request by checking it against a fast store (Redis or DynamoDB). Key rotation, revocation, rate limiting per key, and usage analytics are managed centrally. Best practices: never log API keys in access logs (use key ID instead), use prefix-based keys (e.g., `sk_live_xxx`) to enable secret scanning in code repositories, and expire keys automatically after a configurable period.