Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Discuss network security of Discovery API #78

Open
kfriedman opened this issue Aug 11, 2017 · 0 comments
Open

Discuss network security of Discovery API #78

kfriedman opened this issue Aug 11, 2017 · 0 comments
Assignees
@nodanaonlyzuul @nonword

Comments

@kfriedman
Copy link

Right now, the API Gateway forwards requests to the Discovery API Beanstalk (http://discovery-api-production.us-east-1.elasticbeanstalk.com/). Normally, servers would NOT be directly, publicly accessible and the API Gateway would provide DoS protection, authentication, etc. and only forward authenticated requests to protected endpoints.

However, when forwarding requests to HTTP integrations from the API Gateway like we're doing with the Discovery API, it requires that servers be publicly accessible. This essentially exposes protected endpoints like: http://discovery-api-production.us-east-1.elasticbeanstalk.com/api/v0.1/request/deliveryLocationsByBarcode.

The "right" way to handle this, from AWS's perspective, is to use Client-Side SSL Certificates for Authentication by the Backend. However, this might be overly complicated.

Anyway, let's discuss and see if we can come up with a good solution.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@nodanaonlyzuul nodanaonlyzuul

@nonword nonword

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nodanaonlyzuul @nonword @kfriedman