Title

Clients must be configured to route requests through a single API gateway that enforces the association and transmission of organization-defined security attributes with each request. (Cat II impact)

Discussion

Using a single API gateway URL for all client communications centralizes key aspects of security management, such as authentication, rate limiting, and logging. It also protects backend services by acting as a barrier and reduces exposure to potential attacks. By routing all client requests through a single entry point, the API gateway centralizes the handling of authentication, authorization, and request routing, reducing the complexity of individual APIs needing to handle these concerns independently. Ensuring that security measures, such as token validation and rate limiting, can be consistently enforced across all services without requiring each backend API to independently manage these functions. It also simplifies the management of API versions and access policies, as updates or changes can be applied at the gateway level rather than modifying each individual API. Using a single URL allows the gateway to aggregate and forward requests to the appropriate backend services, optimizing traffic routing and improving performance. This approach enhances security by providing a single point of control and monitoring, making it easier to detect and respond to potential threats, and improves scalability by allowing the API infrastructure to handle growing traffic more efficiently.

Check Content

Note: The authorizing official (AO) may conduct a risk assessment if not using an API Gateway. Check Client API Endpoints: Examine the client-side code (whether a web app, mobile app, or another service) to confirm that all API calls are configured to point to a single gateway URL. Review the access logs or traffic logs of the API gateway to determine where incoming requests are coming from. Verify all requests are originating from the expected single API gateway endpoint. If the API is not configured to route requests through a single, authorized API Gateway endpoint, this is a finding.

Fix Text

Clients must be configured to call a single API gateway URL rather than accessing backend services directly.

Additional Identifiers

Rule ID: SV-274697r1143731_rule

Vulnerability ID: V-274697

Group Title: SRG-APP-000419

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.