API Gateway Security Hardening

Introduction

A B2B SaaS company deployed their API behind AWS API Gateway, implementing OAuth 2.0 authentication and feeling confident about their security posture. Months later, they discovered attackers had been scraping their entire customer database. The breach didn't exploit authentication—it exploited the lack of rate limiting. Attackers authenticated with a compromised credential and iterated through customer IDs at thousands of requests per minute, extracting data faster than any human user ever would.

API gateways serve as the entry point for all API traffic, making them critical for security. They can enforce authentication, rate limiting, input validation, and protection against common attacks. But these protections only work when properly configured. Misconfigured gateways create a false sense of security while leaving backend services exposed.

API Gateway Security Functions

Authentication and Authorization: Verify client identity and permissions before requests reach backends
Rate Limiting and Throttling: Protect against abuse, credential stuffing, and data scraping
Input Validation: Reject malformed or malicious requests at the edge
Protocol Translation: Terminate TLS, enforce HTTPS, and handle protocol conversion
Monitoring and Logging: Capture request data for security analysis

Most gateways ship with minimal security defaults. Teams must explicitly configure each protection layer.

Authentication at the Gateway

Centralizing authentication prevents bypass and inconsistent implementations.

JWT Validation (AWS API Gateway):

components:
  securitySchemes:
    jwtAuth:
      type: http
      scheme: bearer
      bearerFormat: JWT
      x-amazon-apigateway-authorizer:
        type: jwt
        jwtConfiguration:
          issuer: "https://auth.company.com"
          audience: ["api.company.com"]
        identitySource: "$request.header.Authorization"

Key validation points:

Verify token signature against trusted issuer's public keys
Validate iss (issuer), aud (audience), and exp (expiration) claims
Check for required scopes or permissions
Reject tokens with alg: none or weak algorithms

API Key Best Practices:

Rotate keys regularly
Use different keys per client/integration
Hash keys in storage (never store plaintext)
Implement key scoping (not all keys access all endpoints)

mTLS: For high-security scenarios, require client certificates for mutual authentication.

Rate Limiting and Throttling

Apply limits at multiple levels:

# Kong rate limiting with multiple tiers
plugins:
  - name: rate-limiting
    config:
      second: 10
      minute: 100
      hour: 1000
      policy: redis
      limit_by: credential
      fault_tolerant: true

Different limits for different contexts:

Per IP address (catch unauthenticated abuse)
Per API key or token (catch compromised credentials)
Per endpoint (protect sensitive operations)
Per user (prevent individual abuse)

Response handling: Return 429 Too Many Requests with Retry-After header. Don't reveal specific limits to potential attackers.

Input Validation

Validate all input at the gateway:

paths:
  /users:
    post:
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [email, name]
              properties:
                email:
                  type: string
                  format: email
                  maxLength: 255
                name:
                  type: string
                  minLength: 1
                  maxLength: 100
                  pattern: "^[a-zA-Z\\s]+$"
              additionalProperties: false

Also enforce size limits to prevent resource exhaustion:

plugins:
  - name: request-size-limiting
    config:
      allowed_payload_size: 8
      size_unit: megabytes

WAF Integration

AWS WAF rules for API Gateway:

resource "aws_wafv2_web_acl" "api_protection" {
  name  = "api-gateway-protection"
  scope = "REGIONAL"
  
  default_action { allow {} }
 
  rule {
    name     = "AWSManagedRulesCommonRuleSet"
    priority = 1
    override_action { none {} }
    statement {
      managed_rule_group_statement {
        name        = "AWSManagedRulesCommonRuleSet"
        vendor_name = "AWS"
      }
    }
  }
 
  rule {
    name     = "RateLimitRule"
    priority = 0
    action { block {} }
    statement {
      rate_based_statement {
        limit              = 2000
        aggregate_key_type = "IP"
      }
    }
  }
}

Secure Communication

Enforce TLS 1.2+ and add security headers:

plugins:
  - name: response-transformer
    config:
      add:
        headers:
          - Strict-Transport-Security:max-age=31536000; includeSubDomains
          - X-Content-Type-Options:nosniff
          - X-Frame-Options:DENY
          - Content-Security-Policy:default-src 'none'

Redirect HTTP to HTTPS and never allow plaintext API traffic.

Logging and Monitoring

Capture security-relevant events:

Authentication failures (potential credential stuffing)
Rate limit violations (abuse attempts)
WAF blocks (attack attempts)
Unusual API patterns (reconnaissance or scraping)
Geographic anomalies (access from unexpected locations)

Conclusion

API gateway security requires explicit configuration—default settings rarely provide adequate protection. Authentication, rate limiting, input validation, and WAF rules must all be properly configured and tested. A misconfigured gateway creates a false sense of security while attackers exploit gaps.

Testing API gateway configurations validates that protections work as expected. On-demand security testing can identify authentication bypasses, rate limiting gaps, and input validation weaknesses before attackers exploit them. RedVeil's AI-powered platform tests APIs for these vulnerabilities, providing verified findings with clear remediation guidance.

Start testing your API security with RedVeil today.