Dedicated API Gateways Use SSL Certificates

Rule Details

Application Scenarios

If your APIs support HTTPS, you need to add an SSL certificate to the independent domain name bound to the APIs. An SSL certificate is used for data encryption and identity authentication. It supports one-way and two-way authentication.

• One-way authentication: When a client connects to a server, the client verifies the validity of the SSL certificate of the server.
• Two-way authentication: When a client connects to a server, they verify each other's SSL certificates for validity.

If APIs in an API group support only HTTP, there will be the following risks:

• Data leakage: Data transmitted over HTTP is in plaintext and can be easily intercepted, causing leakage of sensitive data (such as passwords and personal information).
• Man-in-the-middle attacks: Attackers can tamper with or forge data. Users may receive malicious content or be redirected to phishing websites.
• Data tampering: Data in transit may be maliciously modified, affecting data integrity.

Solution

Ensure that all APIs support HTTPS and add an SSL certificate to an API.

Rule Logic

• If any domain name of a dedicated API gateway instance does not support HTTPS, this instance is non-compliant.
• If all domain names of a dedicated API gateway instance support HTTPS but the SSL certificate is not added to a domain name, this instance is non-compliant.
• If all domain names of a dedicated API gateway instance support HTTPS, and SSL certificates are added to all domain names, this instance is compliant.