Table of Contents
KrakenD has implemented some security strategies
Restrict connections by host
Define a whitelist of hosts the KrakenD should accept requests to.
When a request hits KrakenD, it will confirm if the value of the
Host HTTP header is in the whitelist. If so, it will further process the request. If the host is not in the whitelist, KrakenD will simply reject the request.
KrakenD follow the OWASP’s recommendations by adding a frame-breaking strategy.
You can add an
X-Frame-Options header with the value of
DENY (default behavior) or even set your custom value.
Check the OWASP Clickjacking cheat sheet for more details about the header and its recommended values.
Enabling this feature will prevent the user’s browser from interpreting files as something else than declared by the content type in the HTTP headers.
Cross-site scripting (XSS) protection
This feature enables the Cross-site scripting (XSS) filter in the user’s browser.
HTTP Strict Transport Security (HSTS)
OWASP defines the HSTS as
HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797. A server implements an HSTS policy by supplying a header (Strict-Transport-Security) over an HTTPS connection (HSTS headers over HTTP are ignored).
HTTP Public Key Pinning (HPKP)
OWASP defines the HPKP as
HTTP Public Key Pinning (HPKP) is a security mechanism which allows HTTPS websites to resist impersonation by attackers using mis-issued or otherwise fraudulent certificates. (For example, sometimes attackers can compromise certificate authorities, and then can mis-issue certificates for a web origin.).
This feature must be used with caution because there is a risk that hosts may make themselves unavailable by pinning to a set of public key hashes that becomes invalid.
KrakenD supports the client credentials grant.
Use this feature if you need to authorize the KrakenD to access your backend services.