ContentSecurity
microgateway.airlock.com/v1alpha1
ContentSecurity defines a policy for filtering and mutating requests and responses to protect an upstream web application. Individual features can be customized using their dedicated CRDs which are referenced from this policy.
The default policy is designed to be secure and work with most web applications. Security can be further improved by e.g.,
- Enforcing an OpenAPI or GraphQL schema to protect API endpoints
- Enabling CSRF protection
- Increasing the deny rule strictness level
- Tightening request limits
If false positives are encountered (wrongly blocked requests), exceptions may also be configured in the relevant CRDs.
apiVersion: microgateway.airlock.com/v1alpha1
kind: ContentSecurity
metadata:
name: content-security-example
spec:
parserRef:
name: parser-example
limitsRef:
name: limits-example
headerRewritesRef:
name: header-rewrites-example
filter:
denyRulesRef:
name: deny-rules-example
apiProtectionRef:
name: api-protection-example
csrfProtectionRef:
name: csrf-protection-exampleapiVersion: microgateway.airlock.com/v1alpha1
kind: ContentSecurity
metadata:
name: default
spec:
filter: {}
apiProtection: {}ContentSecurity
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| metadata | defines the resource’s metadata | ObjectMeta | yes | ||
| spec | defines the desired content security configuration. | object | no |
ContentSecurity.spec
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| apiProtection | defines the relevant configurations to protect APIs. If undefined, default settings are applied, designed to work with most upstream web application services. Deprecated: Use policies in APIProtection CRD instead. |
object | no | ||
| apiProtectionRef | defines the relevant configurations to protect multiple APIs on different paths. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| csrfProtectionRef | selects the relevant CSRF configuration resource. If undefined, CSRF protection is disabled. |
object | no | ||
| filter | defines the set of filters, e.g. Airlock Deny Rules, to be applied to incoming requests to protect against various attack patterns. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| headerRewritesRef | selects the relevant HeaderRewrites. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| limitsRef | selects the relevant Limits configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no | ||
| parserRef | selects the relevant Parser configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no |
ContentSecurity.spec.apiProtectionRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurity.spec.csrfProtectionRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurity.spec.filter
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| denyRulesRef | selects the relevant DenyRules configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. |
object | no |
ContentSecurity.spec.filter.denyRulesRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurity.spec.headerRewritesRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurity.spec.apiProtection
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| graphQLRef | selects the relevant GraphQL configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. Deprecated: Use policies in APIProtection CRD instead. |
object | no | ||
| openAPIRef | selects the relevant OpenAPI configuration resource. If undefined, default settings are applied, designed to work with most upstream web application services. Deprecated: Use policies in APIProtection CRD instead. |
object | no |
ContentSecurity.spec.apiProtection.graphQLRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurity.spec.apiProtection.openAPIRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurity.spec.limitsRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |
ContentSecurity.spec.parserRef
| Field | Description | Type | Required | Default | Allowed Values |
|---|---|---|---|---|---|
| name | of the resource | string | yes |