Files
infospace-bench/infospaces/patterns-of-it-securita-architecture/artifacts/entities/pattern-schema-first-api-security.md

44 lines
1.1 KiB
Markdown

# Pattern: Schema-First API Security
Status: seed
Readiness target: RL3 production
Primary owners: product repos, NetKingdom
Genesis family: Application/API security
## Problem
APIs become difficult to validate, test, and protect when the request
and response contract is implicit.
## Context
Use this pattern for OpenAPI, async APIs, event schemas, public APIs,
tenant APIs, and internal service contracts.
## Forces
- Schemas can drive validation and tests.
- Schemas alone do not prove authorization.
- Backward compatibility must be managed.
- Sensitive fields need explicit treatment.
## Solution
Define API schemas before or alongside implementation and use them to
drive validation, compatibility checks, security tests, documentation,
and gateway/application enforcement.
## Verification
- Requests and responses are validated against versioned schemas.
- Sensitive fields are marked and tested.
- Breaking changes are detected before release.
- Authorization tests cover resources described by the schema.
## Related Patterns
- API Gateway as Security Boundary.
- Object-Level Authorization Check.
- Backend-for-Frontend.
- Secure File Upload Pipeline.