The next level is our API Gateway. A gateway plays an important part in microservices as it is the starting point of any request and is used by all microservices as a means of communication between them. Hence, it should not be exposed to any other security vulnerabilities:
- Is there a TLS implementation?
- Does the TLS implementation remove downgrade attacks or weak cipher attacks?
- How do you make sure that internal websites and admin URLs are abstracted to the internet?
- What information is circulated through the authentication APIs of your gateway service?
- Do the rest of the services trust the gateway too much or can they find out when the gateway is breached?