API Gateway Security

• Type: security
• Kind: SecurityIndex
• ID: security.api-gateway
• Status: draft
• Source: specs/security/examples/security.example.yaml

YAML

apiVersion: jdai.upss/v1
kind: Security
id: security.api-gateway
version: 1
status: draft
metadata:
  owners:
    - JerrettDavis
  reviewers:
    - upss-security-architecture-agent
  lastReviewed: 2026-03-07
  changeReason: Establish the first canonical security specification for API gateway authentication and authorization.
authnModel: oauth2
authzModel: rbac
trustZones:
  - name: public-internet
    level: public
  - name: api-gateway
    level: dmz
  - name: backend-services
    level: internal
  - name: secrets-store
    level: restricted
threats:
  - id: threat.token-theft
    description: An attacker steals an OAuth2 access token via XSS or network interception.
    severity: critical
    mitigatedBy:
      - ctrl.short-lived-tokens
      - ctrl.tls-enforcement
  - id: threat.privilege-escalation
    description: A user modifies their role claim to access restricted resources.
    severity: high
    mitigatedBy:
      - ctrl.server-side-rbac
controls:
  - id: ctrl.short-lived-tokens
    description: Access tokens expire within 15 minutes and require refresh token rotation.
    type: preventive
  - id: ctrl.tls-enforcement
    description: All traffic between trust zones is encrypted with TLS 1.3.
    type: preventive
  - id: ctrl.server-side-rbac
    description: Role-based access control is enforced server-side on every request.
    type: preventive
residualRisks:
  - threatId: threat.token-theft
    justification: Short-lived tokens limit the blast radius but cannot prevent in-flight token use during the validity window.
trace:
  upstream:
    - specs/capabilities/examples/capabilities.example.yaml
  downstream:
    deployment: []
    operations: []
    testing:
      - tests/JD.AI.Tests/Specifications/SecuritySpecificationRepositoryTests.cs