Skip to content

For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

Page as Markdown

    

Security

Secure your gateway to prevent unauthenticated and unauthorized access to your apps.

Securing your API gateway involves multiple layers of protection to safeguard traffic, enforce encryption, and maintain observability. These security features work best in combination.

For example, you might use HTTPS listeners for external client connections, enforce backend TLS for internal workload security, use Istio for mutual TLS across workloads within your cluster environment, and automate certificate management of the DNS for your gateway’s hostname with ExternalDNS and Cert-Manager. Access logging provides visibility into all these layers, ensuring a comprehensive security posture for your API gateway deployment.

Access logging

Capture an access log for all the requests that enter the gateway.

Backend TLS

Originate a one-way TLS connection from the Gateway to a backend.

CORS

Enforce client-site access controls with cross-origin resource sharing (CORS).

CSRF

Apply a CSRF filter to the gateway to help prevent cross-site request forgery attacks.

External auth

Authenticate requests with API keys, basic auth, or your own external auth service.

IP-based access control (ACL)

Allow or deny HTTP requests based on the client's source IP address using an ACL policy.

JWT

Control access or route traffic based on verified claims in a JSON web token (JWT).

Rate limit

Throttle requests with local rate limiting or a global rate limit service.

OAuth2/OIDC

Protect routes with browser-based OAuth2/OIDC login flows backed by any standards-compliant identity …

HTTPS listener

Terminate TLS at an HTTPS listener on the gateway by using a referenced certificate secret.

mTLS listener

Require client certificates on a listener to authenticate inbound traffic with mutual TLS.

SNI listener

Route HTTPS traffic to different backends based on the SNI hostname presented by the client.

TLS passthrough

Set up a TLS listener on the Gateway that serves one or more hosts and passes TLS traffic through to …

ExternalDNS and Cert-Manager

Automate DNS records and TLS certificates for gateway listeners with ExternalDNS and cert-manager.

Istio ambient mesh for mTLS

Enforce mTLS between the gateway and upstream workloads with an Istio mesh.

Was this page helpful?