This article introduces how Postman company builds safe and reliable BFF, which can be used as a reference to gradually improve the BFF security construction. It is mainly to learn how to build global security. The specific implementation methods and tools can be selected to suit the project situation.

The original link

Points to consider when building a secure BFF

  • Single points of failure and attack
  • Public oriented services
  • Processing user input
  • How do YOU quantify API security

The safety indexes

A secure interface must meet the following requirements

confidentiality Integrity (consistency) availability
Only authorized personnel can access the appropriate data The data provided by your service will not be tampered with Content is available to authorized users on demand

BFF data flow

The figure below reflects the role of BFF in a complete data flow, covering key phases from inflow to outflow. There are three main stages

  • The client initiates data flow into the BFF
  • BFF interacts with services
  • BFF consolidates the service results out to the client

Next, we analyze the security construction required at each stage from data inflow

Building security when data is coming in

After BFF receives the data, the validity check should be carried out first

check

The strength of BFF for calibration

  • BFF does not require all validation
  • BFF should complete its own ecological scope check
    • certification
    • Request header checks
  • Business logic-specific checks are pushed to downstream services

The critical path

The critical path refers to the service to be invoked before the request reaches the business logic. The length of the critical path is an indicator to judge the amount of BFF verification. The critical path should be short and have error handling. There are two common critical paths

  • Authentication service
  • Access authentication service

Principle of least privilege

As for permissions, the conservative principle of least privilege is generally adopted

  • Users can access only the minimum necessary resources
  • By default, the user is always assumed to have no access
  • Access is only allowed under certain conditions

The sample

Below is the BFF architecture used by Postman

They separate access control and validation from business logic. Use Yeoman’s predefined security Settings for the stack installation.

Maintenance of dependent packages

Use strict version control over lockfiles in the maintenance of dependent packages. And use tools to examine vulnerable dependency packages in the CI pipeline. Tools: NSP, NPM Audit, SnyK

Mandatory safety check

Use the following mandatory plan to do security checks

  • Configure security check Lint
  • The system test phase catches problematic configuration items
  • Complete E2E testing using postman Collection integration into CI pipes.

Security construction of communication between BFF and service

After the critical path, the connection between BFF and microservices needs to be established in the following aspects

Check permissions within the service

  • The BFF developer is isolated from the internal implementation of the service
  • Prevent authentication information from being leaked in response results and logs
  • Allows key rotation without changing server-side code

Mark the request

  • Associate each incoming request with a user token
  • Each service can use this token to retrieve user metadata and apply authentication

Loopholes for ultra vires have been eliminated

  • Avoid IDOR
  • All user-initiated actions must have authentication based on user tokens.

The log

  • Sensitive information and user information filtering
  • Use heuristic methods to prevent unexpected recording.
  • Track BFF logs to prevent user identity theft.

Construction of outbound content security when BFF communicates with clients

After receiving the microservice request result, the BFF returns it to the client after fusion processing to complete data outflow. The security construction to be done in this phase is as follows:

HTTPS / HSTS

  • Select certificates based on your needs and the required level of user trust
  • Make sure third party calls and redirects over HTTPS
  • After verifying that all content is HTTPS, perform HSTS (+ preloading).

Content-Security-Policy

  • Reduce the harm caused by malicious code injection.
  • Use report-only mode first to prevent side effects
  • Ideal way to prevent data leaks: Not covered by HREFS.

Other headers

  • CORS: Who has access to your resources
  • X-xss: Detects and blocks XSS in some browsers
  • X-frame-options: allows or denies displaying websites in iframe.
  • HPKP: Allows HTTPS sites to resist impersonation
  • SRI: Verifies third-party assets
  • See: OWASP Secure Headers Project

Matters needing attention

  • Support for all headers depends on the client browser
  • You cannot rely on headers alone to ensure BFF security
  • Security construction in this phase is not a substitute for input validation and output formatting

BFF layer’s own infrastructure security construction

After the security construction of data flow is completed, the security construction of BFF layer’s own infrastructure is also needed

Audit and automation

  • Content to be reviewed

    • Developer access rights
    • Operating configuration
    • Creating a new resource
  • The practice of Postman

    • Use the Postman Collection for reliable resource creation.
    • Periodically audit the service using Postman Monitors
    • Use the Postman Collection to complete the Health check
      • Validate key configurations based on your environment
      • If an obvious error occurs, block the deployment. For example, divulging a private key.
      • This is a safeguard, not a test procedure.

Changes to the SDLC system development cycle

After securing the infrastructure of the data stream and the BFF layer itself, let’s take a look at how Postman ensures security in the system development cycle.

Identify security KPIs

  • The vulnerabilities were classified by CVSS scores.
  • Bug regression
  • To solve time
    • -SLA
  • External safety report

VAPT vulnerability assessment and penetration testing

VAPT is a post-development step for assessing the security of software versions.

  • Black box and white box tests containing services.
  • The security process is automated.

conclusion

Review safety indicators

Looking back at the initial security metrics, Postman did the following

confidentiality Integrity (consistency) availability
Validation Validation Request Tagging Request tags Short Critical Path Short critical path
PoLP Minimum permission rule Access Control (IDOR) Access control Platform audits
Log scrubbing Log cleaning Content Security (HTTPS, SRI, CSP, etc.) Content security Healthcheck Security check

The main points of

  • Security considerations are required when building BFF/public apis.
  • Building secure apis is a step-by-step process.
  • Security is part of the development process

The sample code

Github.com/ankit-m/tal…