API-006 recommended general

API gateway / proxy configuration

API uses gateway for centralized concerns or has properly configured CORS with whitelisted origins

Question to ask

"Who else's origin can call your API right now?"

Verification guide

Severity: Recommended

APIs should use a gateway/proxy for centralized concerns (auth, rate limiting, logging), or properly configure CORS for simpler setups.

Check automatically:

  1. Check for API gateway infrastructure:
# AWS API Gateway
grep -rE "aws_api_gateway|apigateway|API Gateway" terraform/ cloudformation/ serverless.yml sam.yaml 2>/dev/null

# Kong configuration
ls -la kong.yml kong.conf 2>/dev/null
grep -E "kong" docker-compose*.yml 2>/dev/null

# Traefik
ls -la traefik.yml traefik.toml 2>/dev/null
grep -E "traefik" docker-compose*.yml 2>/dev/null

# nginx as reverse proxy
ls -la nginx.conf nginx/ 2>/dev/null
grep -E "nginx" docker-compose*.yml 2>/dev/null
grep -rE "proxy_pass|upstream" nginx/ *.conf 2>/dev/null
  1. Check for edge platforms:
# Cloudflare Workers
ls -la wrangler.toml 2>/dev/null
grep -E "cloudflare" package.json 2>/dev/null

# Vercel Edge / Netlify Functions
ls -la vercel.json netlify.toml 2>/dev/null
grep -rE "edge|middleware" src/ app/ pages/ 2>/dev/null

# GraphQL Gateway
grep -E "\"@apollo/gateway\"|\"graphql-mesh\"|\"graphql-yoga\"" package.json 2>/dev/null
  1. Check for centralized concerns at gateway:
# Auth at gateway level
grep -rE "authorize|authentication|jwt|bearer" nginx/ kong.yml traefik.yml 2>/dev/null

# Rate limiting at gateway (cross-ref RATE-001)
grep -rE "rate_limit|ratelimit|throttle" nginx/ kong.yml traefik.yml 2>/dev/null

# Logging at gateway
grep -rE "access_log|logging|log_format" nginx/ kong.yml 2>/dev/null
  1. If no gateway, check CORS configuration:
# CORS middleware
grep -E "\"cors\"" package.json 2>/dev/null
grep -rE "cors\(|Access-Control-Allow" src/ app/ lib/ --include="*.ts" --include="*.js" 2>/dev/null

# CORS configuration
grep -rE "origin:|allowedOrigins|corsOptions" src/ app/ lib/ 2>/dev/null

# Wildcard origin (dangerous in production)
grep -rE "origin:\s*['\"]?\*['\"]?|Access-Control-Allow-Origin.*\*" src/ app/ lib/ 2>/dev/null
  1. Check for direct service exposure:
# Backend ports exposed directly
grep -rE "ports:|expose:" docker-compose*.yml 2>/dev/null | grep -v "80\|443\|3000"

# Multiple services without unified entry point
grep -rE "services:" docker-compose*.yml 2>/dev/null

Ask user:

  • "Do you use an API gateway or expose services directly?"
  • "Is CORS configured, and what origins are allowed?"
  • "Are auth/rate-limiting handled centrally or per-service?"

Cross-reference with:

  • RATE-001 (rate limiting - often at gateway)
  • AUTH-001 (authentication - can be centralized at gateway)
  • Section 32 (CSP headers - often set at gateway/proxy)
  • SEC-001 (Cloudflare - acts as proxy/gateway)

Pass criteria:

  • API gateway in use with centralized auth/rate-limiting/logging, OR
  • CORS properly configured (whitelisted origins, not * in production)
  • Clear architectural decision documented
  • Single entry point for API traffic (not multiple exposed services)

Fail criteria:

  • CORS with * origin in production
  • Auth logic duplicated across multiple services with no gateway
  • Backend services directly exposed to internet without proxy
  • No clear API architecture decision

Evidence to capture:

  • Gateway/proxy in use (if any)
  • CORS configuration (origins allowed)
  • Whether concerns are centralized or distributed
  • Architectural documentation

Section

31. API Design

API & Security

← Previous

API-005

XSS prevention

 Next →

CSP-001

Full CSP headers configured