Microservices and API Security Best Practices Cheat Sheet
Here are the top Security Best Practices when architecting your Microservices and API solutions. To review a complete Microservices and API Security checklist and guide, please contact me at Jordan.Braunstein@visualintegrator.com and I will be happy to share with you or your team.
External Facing Microservices or APIs:
Use OAuth 2.0 security policy with the grant type based on the type of the application consuming the microservice or API:
- For mobile and SPA apps, best practice is to secure using Implicit or Authorization Code grant.
- For trusted partners (i.e. Trading Partners), use client-credentials grant but only if the communication is secured via MTLS or IP-based filtering
Internal Facing Microservices or APIs
- Client ID Validation policy to validate Client ID/Secret
- Enable Client ID security on all internal APIs
- For example, Experience API is secured by JWT, which, in turn, invokes internally facing Process or System API secured by Client ID/Secret/
User Identity or Role Based Authorization
- Recommend using JWT token with digital signature
- Create a custom API policy to validate the digital signature if needed, or invoke the validate endpoint of the Identity Management platform.
- “Bundle” user credential such as customer_id or LDAP ID as part of the JWT token payload.
- In the custom policy or inside the API itself, validate the JWT token contains the bundled customer id.
- Custom API Policies for schema validations, SQL injections, HTTP Inspections, Size Limits, Pattern Scans.
- Data Sensitivity and encryption techniques
- Sidebands to API Gateway for outside threats on API Gateways
- Source Code and library scans.
- Network security
- WAF rules
- API Gateway policies (i.e. rate limiting)
- Audit logging on the gateway
- Security monitoring of the Microservices or API infrastructure