API Gateway

Features

1. JWT Token Validation at Gateway Level

• All requests (except public endpoints) require valid JWT tokens
• Tokens validated against Identity Service's JWK Set
• Automatic role-based access control (RBAC)
• Token expiration and signature verification

2. CORS (Cross-Origin Resource Sharing)

• Environment-based configuration - No hardcoded values
• Explicit header allowlist - No wildcard (*) in production
• Credentials support - Properly configured for cookie/token auth
• Preflight caching - Reduces OPTIONS requests

3. Rate Limiting

• Distributed rate limiting using Redis
• Per-user and per-IP limits to prevent abuse
• Token bucket algorithm for smooth request flow
• Graceful degradation - Fails open if Redis is down

4. Security Headers

• HSTS - Enforces HTTPS usage
• CSP - Prevents XSS attacks
• X-Frame-Options - Prevents clickjacking
• XSS Protection - Browser-level protection

5. Circuit Breaker Pattern

• Prevents cascade failures when services are down
• Automatic fallback responses
• Self-healing with half-open state
• Configurable failure thresholds

6. Request/Response Logging

• Unique correlation ID for distributed tracing
• Sanitized logging (tokens redacted)
• Request duration tracking
• Essential for debugging production issues

# Exceed rate limit
for i in {1..150}; do
  curl http://localhost:9090/api/stalls
done