This article introduces how Postman company builds safe and reliable BFF, which can be used as a reference to gradually improve the BFF security construction. It is mainly to learn how to build global security. The specific implementation methods and tools can be selected to suit the project situation.
The original link
Points to consider when building a secure BFF
- Single points of failure and attack
- Public oriented services
- Processing user input
- How do YOU quantify API security
The safety indexes
A secure interface must meet the following requirements
confidentiality | Integrity (consistency) | availability |
---|---|---|
Only authorized personnel can access the appropriate data | The data provided by your service will not be tampered with | Content is available to authorized users on demand |
BFF data flow
The figure below reflects the role of BFF in a complete data flow, covering key phases from inflow to outflow. There are three main stages
- The client initiates data flow into the BFF
- BFF interacts with services
- BFF consolidates the service results out to the client
Next, we analyze the security construction required at each stage from data inflow
Building security when data is coming in
After BFF receives the data, the validity check should be carried out first
check
The strength of BFF for calibration
- BFF does not require all validation
- BFF should complete its own ecological scope check
- certification
- Request header checks
- Business logic-specific checks are pushed to downstream services
The critical path
The critical path refers to the service to be invoked before the request reaches the business logic. The length of the critical path is an indicator to judge the amount of BFF verification. The critical path should be short and have error handling. There are two common critical paths
- Authentication service
- Access authentication service
Principle of least privilege
As for permissions, the conservative principle of least privilege is generally adopted
- Users can access only the minimum necessary resources
- By default, the user is always assumed to have no access
- Access is only allowed under certain conditions
The sample
Below is the BFF architecture used by Postman
They separate access control and validation from business logic. Use Yeoman’s predefined security Settings for the stack installation.
Maintenance of dependent packages
Use strict version control over lockfiles in the maintenance of dependent packages. And use tools to examine vulnerable dependency packages in the CI pipeline. Tools: NSP, NPM Audit, SnyK
Mandatory safety check
Use the following mandatory plan to do security checks
- Configure security check Lint
- The system test phase catches problematic configuration items
- Complete E2E testing using postman Collection integration into CI pipes.
Security construction of communication between BFF and service
After the critical path, the connection between BFF and microservices needs to be established in the following aspects
Check permissions within the service
- The BFF developer is isolated from the internal implementation of the service
- Prevent authentication information from being leaked in response results and logs
- Allows key rotation without changing server-side code
Mark the request
- Associate each incoming request with a user token
- Each service can use this token to retrieve user metadata and apply authentication
Loopholes for ultra vires have been eliminated
- Avoid IDOR
- All user-initiated actions must have authentication based on user tokens.
The log
- Sensitive information and user information filtering
- Use heuristic methods to prevent unexpected recording.
- Track BFF logs to prevent user identity theft.
Construction of outbound content security when BFF communicates with clients
After receiving the microservice request result, the BFF returns it to the client after fusion processing to complete data outflow. The security construction to be done in this phase is as follows:
HTTPS / HSTS
- Select certificates based on your needs and the required level of user trust
- Make sure third party calls and redirects over HTTPS
- After verifying that all content is HTTPS, perform HSTS (+ preloading).
Content-Security-Policy
- Reduce the harm caused by malicious code injection.
- Use report-only mode first to prevent side effects
- Ideal way to prevent data leaks: Not covered by HREFS.
Other headers
- CORS: Who has access to your resources
- X-xss: Detects and blocks XSS in some browsers
- X-frame-options: allows or denies displaying websites in iframe.
- HPKP: Allows HTTPS sites to resist impersonation
- SRI: Verifies third-party assets
- See: OWASP Secure Headers Project
Matters needing attention
- Support for all headers depends on the client browser
- You cannot rely on headers alone to ensure BFF security
- Security construction in this phase is not a substitute for input validation and output formatting
BFF layer’s own infrastructure security construction
After the security construction of data flow is completed, the security construction of BFF layer’s own infrastructure is also needed
Audit and automation
-
Content to be reviewed
- Developer access rights
- Operating configuration
- Creating a new resource
-
The practice of Postman
- Use the Postman Collection for reliable resource creation.
- Periodically audit the service using Postman Monitors
- Use the Postman Collection to complete the Health check
- Validate key configurations based on your environment
- If an obvious error occurs, block the deployment. For example, divulging a private key.
- This is a safeguard, not a test procedure.
Changes to the SDLC system development cycle
After securing the infrastructure of the data stream and the BFF layer itself, let’s take a look at how Postman ensures security in the system development cycle.
Identify security KPIs
- The vulnerabilities were classified by CVSS scores.
- Bug regression
- To solve time
- -SLA
- External safety report
VAPT vulnerability assessment and penetration testing
VAPT is a post-development step for assessing the security of software versions.
- Black box and white box tests containing services.
- The security process is automated.
conclusion
Review safety indicators
Looking back at the initial security metrics, Postman did the following
confidentiality | Integrity (consistency) | availability |
---|---|---|
Validation Validation | Request Tagging Request tags | Short Critical Path Short critical path |
PoLP Minimum permission rule | Access Control (IDOR) Access control | Platform audits |
Log scrubbing Log cleaning | Content Security (HTTPS, SRI, CSP, etc.) Content security | Healthcheck Security check |
The main points of
- Security considerations are required when building BFF/public apis.
- Building secure apis is a step-by-step process.
- Security is part of the development process
The sample code
Github.com/ankit-m/tal…