generated from coulomb/repo-seed
44 lines
1.1 KiB
Markdown
44 lines
1.1 KiB
Markdown
# Pattern: Schema-First API Security
|
|
|
|
Status: seed
|
|
Readiness target: RL3 production
|
|
Primary owners: product repos, NetKingdom
|
|
Genesis family: Application/API security
|
|
|
|
## Problem
|
|
|
|
APIs become difficult to validate, test, and protect when the request
|
|
and response contract is implicit.
|
|
|
|
## Context
|
|
|
|
Use this pattern for OpenAPI, async APIs, event schemas, public APIs,
|
|
tenant APIs, and internal service contracts.
|
|
|
|
## Forces
|
|
|
|
- Schemas can drive validation and tests.
|
|
- Schemas alone do not prove authorization.
|
|
- Backward compatibility must be managed.
|
|
- Sensitive fields need explicit treatment.
|
|
|
|
## Solution
|
|
|
|
Define API schemas before or alongside implementation and use them to
|
|
drive validation, compatibility checks, security tests, documentation,
|
|
and gateway/application enforcement.
|
|
|
|
## Verification
|
|
|
|
- Requests and responses are validated against versioned schemas.
|
|
- Sensitive fields are marked and tested.
|
|
- Breaking changes are detected before release.
|
|
- Authorization tests cover resources described by the schema.
|
|
|
|
## Related Patterns
|
|
|
|
- API Gateway as Security Boundary.
|
|
- Object-Level Authorization Check.
|
|
- Backend-for-Frontend.
|
|
- Secure File Upload Pipeline.
|