The API must use a gateway.

STIG ID: SRG-APP-000435-API-000995  |  SRG: SRG-APP-000435 |  Severity: medium |  CCI: CCI-002385 |  Vulnerability Id: V-274707

Vulnerability Discussion

API Gateway acts as a centralized point for managing and securing API traffic, enhancing the overall security posture of an API ecosystem.

The API Gateway helps protect backend services by abstracting and securing access to APIs, enabling features such as authentication, authorization, rate limiting, and IP whitelisting. It can enforce security policies like SSL/TLS encryption, protect against distributed denial-of-service (DDoS) attacks, and log and audit all requests for compliance and monitoring.

It simplifies the management of API keys, tokens, and other credentials, reducing the exposure of sensitive information. By consolidating security functions in the API Gateway, organizations can better manage and enforce consistent security measures across all API endpoints, ensuring a stronger defense against potential threats.

Check

Note: The authorizing official (AO) may conduct a risk assessment if not using an API Gateway.

The API must be routed through a gateway that enforces protections against denial-of-service (DoS) attacks such as rate limiting, request throttling, and anomaly detection in accordance with organization-defined thresholds.

If the API does not use a gateway, this is a finding.

Fix

Build or configure the API to use a gateway.
This website is not created by, run, approved, or endorsed by the U.S. Department of Defense. Use at your own risk. This website is created by open-source software.