When a client invokes the available service, we need to validate the request. In order to prevent unwanted requests from piling up, we should have an additional layer of security. The requests from the client should be authenticated and authorized to call the other service, to prevent unauthorized calls to the service. The service should, in turn, decrypt the request, understand whether it is valid or invalid, and do the rest.
In order to provide secure microservices, it should have the following characteristics:
- Confidentiality: Allow only the authorized clients to access and consume the information.
- Integrity: Can guarantee the integrity of the information that it receives from the client and ensure that it is not modified by a third-party (for example, when a gateway and a service is talking to each other, no party can tamper with or alter the messages that are sent between them. This a classic man-in-the-middle attack).
- Availability: A secure API service should be highly available.
- Reliability: Should handle the requests and process them reliably.
For more information on MITM, or man-in-the-middle attacks check, the following link: https://www.owasp.org/index.php/Man-in-the-middle_attack.