Secure your API with these 16 Practices with Apache APISIX - part 1

A couple of months ago, I stumbled upon this list of Secure your API with these 16 practices to secure your API:

1. Authentication 🕵️️ - Verifies the identity of users accessing APIs.
2. Authorization 🚦 - Determines permissions of authenticated users.
3. Data Redaction 🖍️ - Obscures sensitive data for protection.
4. Encryption 🔒 - Encodes data so only authorized parties can decode it.
5. Error Handling ❌ - Manages responses when things go wrong, avoiding revealing sensitive info.
6. Input Validation & Data Sanitization 🧹 - Checks input data and removes harmful parts.
7. Intrusion Detection Systems 👀 - Monitor networks for suspicious activities.
8. IP Whitelisting 📝 - Permits API access only from trusted IP addresses.
9. Logging and Monitoring 🖥️ - Keeps detailed logs and regularly monitors APIs.
10. Rate Limiting ⏱️ - Limits user requests to prevent overload.
11. Secure Dependencies 📦 - Ensures third-party code is free from vulnerabilities.
12. Security Headers 📋 - Enhances site security against types of attacks like XSS.
13. Token Expiry ⏳ - Regularly expiring and renewing tokens prevents unauthorized access.
14. Use of Security Standards and Frameworks 📘 - Guides your API security strategy.
15. Web Application Firewall 🔥 - Protects your site from HTTP-specific attacks.
16. API Versioning 🔄 - Maintains different versions of your API for seamless updates.

While it's debatable whether some points relate to security, e.g.,, versioning, the list is a good starting point anyway. In this two-post series, I'd like to describe how we can implement each point with Apache APISXI (or not).

Hardening Apache APISIX with the OWASP's Coraza and Core Ruleset

The Open Worldwide Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system softw...

--OWASP website

The OWASP regularly publishes a Top 10 vulnerability report. The report targets vulnerabilities in web applications.

In this post, I'd like to describe how to fix some of them via the Apache APISIX API Gateway.

Unlock All-in-One Observability for APISIX with DeepFlow

This article aims to elucidate how to leverage DeepFlow's zero-code feature based on eBPF to construct an observability solution for APISIX.

Biweekly Report (January 15 - January 28)

We have recently added the ocsp-stapling plugin within Apache APISIX. Please read the bi-weekly report for more details.

Biweekly Report (January 01 - January 14)

We have recently made some additions and improvements to specific features within Apache APISIX. The updates include the newly added includereq_body option for some log-related plugins, supporting one-click compilation and installation of apisix and apisix-runtime from source code, the response-rewrite plugin supporting Brotli compression when using the filters.regex option, and supporting the uri_param variable when using the radixtree_uri_with_parameter routing engine. For additional information, please consult the bi-weekly report.

Release Apache APISIX 3.8.0

We are glad to present Apache APISIX 3.8.0 with exciting new features, bug fixes, and other improvements to user experiences.

Biweekly Report (December 18 - December 31)

We have recently made some additions and improvements to specific features within Apache APISIX. The updates include the limit-count plugin configuration supporting environment variables, the response-rewrite plugin supporting gzip when using the filters.regex option, and upgrading OpenSSL 1.1.1 to OpenSSL 3.0 version. For additional information, please consult the bi-weekly report.

Access the Kafka Cluster by APISIX Gateway

This blog shows how to use Apache APISIX to develop a customize authorization plugin for the kafka cluster.

Building a Robust 'Highway' with APISIX: Gateway and Protocol Performance Optimization

Author: Xiaobin Wang, Apache Dubbo Committer, Senior Development Engineer at Zhengcaiyun. This article is based on a presentation given by Xiaobin Wang at the APISIX Shanghai Meetup in November 2023.