Section 08

API & Microservices Architecture

Microservices architectures introduce new security challenges: more network communication, more attack surface, and complex trust relationships. Securing APIs becomes critical.

API Gateway Security

The API Gateway is your first line of defense. It centralizes security controls before requests reach backend services.

Authentication

  • • OAuth 2.0 / OpenID Connect
  • • API key validation
  • • JWT verification
  • • mTLS for B2B APIs

Traffic Management

  • • Rate limiting per client
  • • Request throttling
  • • Quota enforcement
  • • DDoS protection

Request Validation

  • • Schema validation (OpenAPI)
  • • Input sanitization
  • • Request size limits
  • • Content-Type enforcement

Observability

  • • Request/response logging
  • • Metrics and tracing
  • • Anomaly detection
  • • Audit trails

Service-to-Service Authentication

Mutual TLS (mTLS)

Both client and server present certificates. Provides authentication and encryption.

  • • Typically managed by service mesh
  • • Automatic certificate rotation
  • • No application code changes needed

Service Account Tokens

Short-lived tokens issued to services (Kubernetes service accounts, AWS IAM roles).

  • • Workload identity in cloud environments
  • • No static credentials to manage
  • • Automatic token refresh

JWT Service Tokens

Services authenticate with signed JWTs containing claims about identity and permissions.

  • • Signed by trusted issuer
  • • Contains scope/permissions claims
  • • Verify signature and claims at each service

Rate Limiting Strategies

Fixed Window

100 requests per minute. Counter resets at minute boundary.

Simple but can allow burst at window edges

Sliding Window

Smooths rate over rolling time period.

Better distribution, more memory needed

Token Bucket

Tokens refill at fixed rate. Each request consumes a token.

Allows controlled bursting

Leaky Bucket

Requests queue and process at constant rate.

Smoothest output, adds latency

Circuit Breaker Pattern

Circuit breakers prevent cascade failures by stopping calls to failing services.

🟢

CLOSED

Normal operation. Requests pass through. Failures counted.

🔴

OPEN

Failure threshold exceeded. Requests fail fast. No calls to service.

🟡

HALF-OPEN

Testing recovery. Limited requests allowed. Success = close, failure = open.

API Security Checklist

  • ☐ All APIs require authentication
  • ☐ Authorization checked at resource level
  • ☐ Input validated against schema
  • ☐ Rate limiting configured per client tier
  • ☐ Response doesn't leak internal details
  • ☐ HTTPS only, TLS 1.2+
  • ☐ Security headers set (CORS, CSP for browser APIs)
  • ☐ API versioning strategy defined
  • ☐ Deprecation policy for old versions
  • ☐ Documentation doesn't expose vulnerabilities
← Previous: Cloud-Native Security Next: Secure SDLC Integration →