Here is the threat model of Apache APISIX, which is relative to our developers and operators.
As a proxy, Apache APISIX needs to be able to run in front of untrusted downstream traffic.
However, some features need to assume the downstream traffic is trusted. They should be either not exposed to the internet by default (for example, listening to 127.0.0.1), or disclaim in the doc explicitly.
As Apache APISIX is evolving rapidly, some newly added features may not be strong enough to defend against potential attacks. Therefore, we need to divide the features into two groups: premature and mature ones. Features that are just merged in half a year or are declared as experimental are premature. Premature features are not fully tested on the battlefield and are not covered by the security policy normally.
Additionally, we require the components below are trustable:
As the user: First of all, don't expose the components which are required to be trustable to the internet, including the control plane (Dashboard or something else) and the configuration relay mechanism (etcd or etcd adapter or something else).
Then, harden the trusted components. For example,
As the developer: We should keep security in mind, and validate the input from the client before use.
As the maintainer: We should keep security in mind, and review the code line by line. We are open to the discussion from the security researchers.
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。