Microservices and API Security Best Practices Cheat Sheet


Here are the top Security Best Practices when architecting your Microservices and API solutions. To review a complete Microservices and API Security checklist and guide, please contact me at Jordan.Braunstein@visualintegrator.com and I will be happy to share with you or your team.

External Facing Microservices or APIs:

Use OAuth 2.0 security policy with the grant type based on the type of the application consuming the microservice or API:

  • For mobile and SPA apps, best practice is to secure using Implicit or Authorization Code grant.
  • For trusted partners (i.e. Trading Partners), use client-credentials grant but only if the communication is secured via MTLS or IP-based filtering

Internal Facing Microservices or APIs

  • Client ID Validation policy to validate Client ID/Secret
  • Enable Client ID security on all internal APIs
  • For example, Experience API is secured by JWT, which, in turn, invokes internally facing Process or System API secured by Client ID/Secret/

 User Identity or Role Based Authorization

  • Recommend using JWT token with digital signature
  • Create a custom API policy to validate the digital signature if needed, or invoke the validate endpoint of the Identity Management platform.
  • “Bundle” user credential such as customer_id or LDAP ID as part of the JWT token payload.
  • In the custom policy or inside the API itself, validate the JWT token contains the bundled customer id.

Additional Considerations:

  • Custom API Policies for schema validations, SQL injections, HTTP Inspections, Size Limits, Pattern Scans.
  • Data Sensitivity and encryption techniques
  • Sidebands to API Gateway for outside threats on API Gateways
  • Source Code and library scans.

Infrastructure Security:

  • Network security
  • WAF rules
  • API Gateway policies (i.e. rate limiting)
  • Audit logging on the gateway
  • Security monitoring of the Microservices or API infrastructure


Jordan Braunstein, CTO