EcosystemSecure your API with these 16 Practices with Apache APISIX - part 2Last week, we listed 16 practices to help secure one's APIs and described how to implement them with Apache APISIX.Authentication 🕵️️ - Verifies the identity of users accessing APIs.Authorization 🚦 - Determines permissions of authenticated users.Data Redaction 🖍️ - Obscures sensitive data for protection.Encryption 🔒 - Encodes data so only authorized parties can decode it.Error Handling ❌ - Manages responses when things go wrong, avoiding revealing sensitive info.Input Validation & Data Sanitization 🧹 - Checks input data and removes harmful parts.Intrusion Detection Systems 👀 - Monitor networks for suspicious activities.IP Whitelisting 📝 - Permits API access only from trusted IP addresses.Logging and Monitoring 🖥️ - Keeps detailed logs and regularly monitors APIs.Rate Limiting ⏱️ - Limits user requests to prevent overload.Secure Dependencies 📦 - Ensures third-party code is free from vulnerabilities.Security Headers 📋 - Enhances site security against types of attacks like XSS.Token Expiry ⏳ - Regularly expiring and renewing tokens prevents unauthorized access.Use of Security Standards and Frameworks 📘 - Guides your API security strategy.Web Application Firewall 🔥 - Protects your site from HTTP-specific attacks.API Versioning 🔄 - Maintains different versions of your API for seamless updates.This week, we will look at the remaining practices.
EcosystemSecure your API with these 16 Practices with Apache APISIX - part 1A couple of months ago, I stumbled upon this list of Secure your API with these 16 practices to secure your API:Authentication 🕵️️ - Verifies the identity of users accessing APIs.Authorization 🚦 - Determines permissions of authenticated users.Data Redaction 🖍️ - Obscures sensitive data for protection.Encryption 🔒 - Encodes data so only authorized parties can decode it.Error Handling ❌ - Manages responses when things go wrong, avoiding revealing sensitive info.Input Validation & Data Sanitization 🧹 - Checks input data and removes harmful parts.Intrusion Detection Systems 👀 - Monitor networks for suspicious activities.IP Whitelisting 📝 - Permits API access only from trusted IP addresses.Logging and Monitoring 🖥️ - Keeps detailed logs and regularly monitors APIs.Rate Limiting ⏱️ - Limits user requests to prevent overload.Secure Dependencies 📦 - Ensures third-party code is free from vulnerabilities.Security Headers 📋 - Enhances site security against types of attacks like XSS.Token Expiry ⏳ - Regularly expiring and renewing tokens prevents unauthorized access.Use of Security Standards and Frameworks 📘 - Guides your API security strategy.Web Application Firewall 🔥 - Protects your site from HTTP-specific attacks.API Versioning 🔄 - Maintains different versions of your API for seamless updates.While it's debatable whether some points relate to security, e.g.,, versioning, the list is a good starting point anyway. In this two-post series, I'd like to describe how we can implement each point with Apache APISXI (or not).
EcosystemHardening Apache APISIX with the OWASP's Coraza and Core RulesetThe Open Worldwide Application Security Project is an online community that produces freely available articles, methodologies, documentation, tools, and technologies in the fields of IoT, system softw...--OWASP websiteThe OWASP regularly publishes a Top 10 vulnerability report. The report targets vulnerabilities in web applications.In this post, I'd like to describe how to fix some of them via the Apache APISIX API Gateway.
EcosystemUnlock All-in-One Observability for APISIX with DeepFlowThis article aims to elucidate how to leverage DeepFlow's zero-code feature based on eBPF to construct an observability solution for APISIX.
CommunityBiweekly Report (January 15 - January 28)We have recently added the ocsp-stapling plugin within Apache APISIX. Please read the bi-weekly report for more details.
CommunityBiweekly Report (January 01 - January 14)We have recently made some additions and improvements to specific features within Apache APISIX. The updates include the newly added includereq_body option for some log-related plugins, supporting one-click compilation and installation of apisix and apisix-runtime from source code, the response-rewrite plugin supporting Brotli compression when using the filters.regex option, and supporting the uri_param variable when using the radixtree_uri_with_parameter routing engine. For additional information, please consult the bi-weekly report.
CommunityRelease Apache APISIX 3.8.0We are glad to present Apache APISIX 3.8.0 with exciting new features, bug fixes, and other improvements to user experiences.
CommunityBiweekly Report (December 18 - December 31)We have recently made some additions and improvements to specific features within Apache APISIX. The updates include the limit-count plugin configuration supporting environment variables, the response-rewrite plugin supporting gzip when using the filters.regex option, and upgrading OpenSSL 1.1.1 to OpenSSL 3.0 version. For additional information, please consult the bi-weekly report.
EcosystemAccess the Kafka Cluster by APISIX GatewayThis blog shows how to use Apache APISIX to develop a customize authorization plugin for the kafka cluster.