Network & API Security Articles

Envoy's defaults expose admin APIs, pass headers unsanitized, and log nothing useful for security. A hardened Envoy configuration changes all three.

HAProxy's defaults are friendly to misconfiguration. The right knobs make it fast, observable, and resistant to common L7 abuse.

Pod egress in a service mesh is a per-Pod decision; egress gateways centralize, audit, and bound it. The pattern that finally makes 'where can my workload reach' answerable.

WireGuard turns the public Internet into an internal network. Three deployment patterns, three different operational models, one cryptographic core.

XDP runs your filter at the network driver level, before the kernel allocates an sk_buff. Drop attacks at line rate on commodity NICs with a few hundred lines of eBPF.

TLS 1.3 still leaks the destination hostname via SNI. ECH closes that gap. Browser support is now wide enough to deploy in production.

Two recent CVE classes weaponize HTTP/2's stream and header model. Mitigation is settings-tweak in NGINX and Envoy, but only if you know which knobs.

QUIC moves TLS into the transport. New attack surface: UDP amplification, 0-RTT replay, connection ID tracking, stream flow-control abuse. Hardening is non-trivial.

AI-powered botnets of compromised IoT and edge devices launch DDoS attacks exceeding 1 terabit per second. These attacks are increasingly used as smokescreens for simultaneous data theft operations. This article covers the multi-layer defensive architecture from edge absorption to origin hardening.

Most production environments run dual-stack (IPv4 and IPv6) whether the team intended it or not. Linux enables IPv6 by default.

gRPC services exposed through API gateways face unique security challenges: gRPC-Web transcoding introduces injection surfaces, metadata headers can carry internal routing information past the edge, and per-method rate limiting requires gRPC-aware configuration.

Most NGINX hardening guides stop at TLS configuration, cipher suites, certificate setup, HSTS.

Rate limiting is the first line of defence against abuse, credential stuffing, API scraping, and denial-of-service attacks.

"It's internal" is the most dangerous phrase in infrastructure security. Internal APIs sit behind the perimeter and receive minimal scrutiny.

Load balancers sit at the most critical point in your infrastructure: every external request passes through them.

Without a centralized API gateway, authentication and authorization logic is duplicated in every backend service. This creates several problems:

TLS misconfiguration remains one of the most common security findings in production infrastructure.

Internal service-to-service traffic in most Kubernetes clusters is plaintext. Once an attacker compromises a single pod, through a container escape,...

L4 load balancers break gRPC multiplexing, sending all streams to a single backend. This article covers L7 balancing with Envoy, client-side balancing with xDS, health check hardening, and connection draining for secure gRPC deployments.

DNS is the most critical single point of failure in any infrastructure, and the least hardened layer for most teams.

A self-managed Web Application Firewall (WAF) with default rules generates dozens of false positives per day.

HTTP request smuggling exploits inconsistencies in how chained HTTP processors (reverse proxies, load balancers, backend servers) parse request...

Security headers are free, server-side controls that instruct browsers to restrict dangerous behaviour.

WebSocket connections start as an HTTP upgrade request and then persist as a long-lived, full-duplex channel.

gRPC services in production frequently run with security configurations that would never be acceptable for HTTP APIs: