Basic Security Requirements
Background & Business Value
Basic requirements of security that don't need to be repeated in all the documents.
Goals
- HTTPS Everywhere
- Authenticate all calls through the API Gateway
- Ensure Resource Services are only called by the API Gateway
Out of Scope
- Usage Scenarios
Assumptions
- If other requirement documents conflict with these requirements, these requirements will be superseded. These are the baseline requirements that can be overridden in a specialized situations.
Requirements
Ticket(s) | Title | User Story | Priority | Notes |
---|---|---|---|---|
HTTPS Everywhere | As a client developer, I expect all communication to be over HTTPS. | MUST HAVE | ||
All Calls Authenticated | As a gateway admin, all calls through the gateway need to be authenticated. | MUST HAVE |
| |
IP Restrictions | As a gateway admin, all Resource Servers should implement restrictions to prevent unauthorized calls coming from places other than Apigee. | MUST HAVE |
|
User Interaction, Design & Architecture
Examples and References
Questions
Below is a list of questions to be addressed as a result of this requirements document:
Question | Outcome | Decision Date |
---|---|---|