Skip to content

For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.

Page as Markdown 

    

  
  


            
Security

            
Secure your gateway to prevent unauthenticated and unauthorized access to your apps.


Securing your API gateway involves multiple layers of protection to safeguard traffic, enforce encryption, and maintain observability. These security features work best in combination.


For example, you might use HTTPS listeners for external client connections, enforce backend TLS for internal workload security, use Istio for mutual TLS across workloads within your cluster environment, and automate certificate management of the DNS for your gateway’s hostname with ExternalDNS and Cert-Manager. Access logging provides visibility into all these layers, ensuring a comprehensive security posture for your API gateway deployment.



            

          

            

              Access logging

              
Capture an access log for all the requests that enter the gateway.

          

        
          

            

              Backend TLS

              
Originate a one-way TLS connection from the Gateway to a backend.

          

        
          

            

              CORS

              
Enforce client-site access controls with cross-origin resource sharing (CORS).

          

        
          

            

              CSRF

              
Apply a CSRF filter to the gateway to help prevent cross-site request forgery attacks.

          

        
          

            

              External auth

              
Authenticate requests with API keys, basic auth, or your own external auth service.

          

        
          

            

              IP-based access control (ACL)

              
Allow or deny HTTP requests based on the client's source IP address using an ACL policy.

          

        
          

            

              JWT

              
Control access or route traffic based on verified claims in a JSON web token (JWT).

          

        
          

            

              Rate limit

              
Throttle requests with local rate limiting or a global rate limit service.

          

        
          

            

              HTTPS listener

              
Terminate TLS at an HTTPS listener on the gateway by using a referenced certificate secret.

          

        
          

            

              mTLS listener

              
Require client certificates on a listener to authenticate inbound traffic with mutual TLS.

          

        
          

            

              SNI listener

              
Route HTTPS traffic to different backends based on the SNI hostname presented by the client.

          

        
          

            

              TLS passthrough

              
Set up a TLS listener on the Gateway that serves one or more hosts and passes TLS traffic through to …

          

        
          

            

              ExternalDNS and Cert-Manager

              
Automate DNS records and TLS certificates for gateway listeners with ExternalDNS and cert-manager.

          

        
          

            

              Istio ambient mesh for mTLS

              
Enforce mTLS between the gateway and upstream workloads with an Istio mesh.

          

        
    

          

          

          
ResiliencyAI Gateway

          

  

    Was this page helpful?