API Gateway Attacks

The gateway in front of your APIs — Kong, AWS API Gateway, Apigee, NGINX, Envoy — is a security control and an attack surface at once. Trusted-header spoofing, path-normalization mismatches that bypass authorization, direct-to-origin requests that skip every gateway check, and auth-offload gone wrong. How each bypass works and how to close it.