microservice security - yibinericxia/documents GitHub Wiki
API security is different from data security as it protects the endpoint visits and what data can be accessed. Of course endpoints and request parameters should not contains sensitive data unless those sensitive data is tokenized.
Use role based authentication to secure the APIs unless they are public.
Data security, like tokenization, prevents the data to be exposed to the wrong audience. Please see database security for more details.
Pay attentions to the following areas
- CI/CD
- Logs
No sensitive data, such as customer emails, IP addresses, telephone or credit card numbers, and other credentials, in log files
- Data analytics
- Data Move
Discover all the data and their flow, including less secured data store for dev, shadow data and even abandoned data stores. Do not share any data. Use proper IAM configuration and access control so users who need data can retrieve instead of asking for data sharing.
Consider to use SecurityFilterChain alone for API-only services, as WebMvcConfigurer is for the full MVC configuration with the form-based login, session management, rendering views, etc. SecurityFilterChain allows you to configure only for stateless authentications like JWT or API keys without session management.