apache
diff --git a/‎CONTRIBUTING-SEO.md‎
Lines changed: 140 additions & 0 deletions b/‎CONTRIBUTING-SEO.md‎
Lines changed: 140 additions & 0 deletions
diff --git a/‎website/learning-center/api-gateway-security.md‎
Lines changed: 131 additions & 0 deletions b/‎website/learning-center/api-gateway-security.md‎
Lines changed: 131 additions & 0 deletions
@@ -0,0 +1,140 @@
+# SEO Guidelines for Apache APISIX Website Contributors
+
+This document provides SEO best practices for anyone contributing content to the Apache APISIX website, documentation, or blog. Following these guidelines ensures that our content ranks well in both traditional search engines and AI-powered search (Google AI Overviews, ChatGPT, Perplexity).
+
+## Frontmatter Requirements
+
+Every Markdown page (blog post, doc page, learning center article) **must** include:
+
+```yaml
+---
+title: "Human-Readable Title - Primary Keyword | Apache APISIX"
+description: "120-160 character description that accurately summarizes the page content and includes the primary keyword naturally."
+---
+```
+
+### Title Rules
+
+- **Length**: 50-60 characters (Google truncates longer titles in SERPs)
+- **Format**: `Primary Topic - Modifier | Apache APISIX`
+- **Keyword placement**: Put the primary keyword near the front
+- **Human-readable**: Write for humans, not bots. No keyword stuffing.
+- **Plugin pages**: Use the human-readable name, not just the code identifier
+  - Good: `Rate Limiting Plugin (limit-req) | Apache APISIX`
+  - Bad: `limit-req | Apache APISIX`
+
+### Description Rules
+
+- **Length**: 120-160 characters
+- **Content**: Describe the page honestly and include the main topic naturally
+- **Action-oriented**: Start with a verb when possible ("Learn how to...", "Configure...", "Compare...")
+
+## Content Structure
+
+### Answer-First Writing
+
+Place the primary answer or definition in the **first 40-60 words** of the page. AI search engines preferentially extract opening paragraphs.
+
+```markdown
+## What is an API Gateway?
+
+An API gateway is a server that sits between clients and backend
+services, acting as the single entry point for all API traffic.
+It handles authentication, rate limiting, and routing so that
+individual services don't need to implement these concerns.
+
+[Rest of the detailed content follows...]
+```
+
+### Heading Hierarchy
+
+- **One H1 per page** (the `title` in frontmatter)
+- Use H2 for major sections, H3 for subsections
+- Headings should match developer search queries when possible
+  - Good: `## How to Configure Rate Limiting in APISIX`
+  - Bad: `## Configuration`
+- Never skip heading levels (H1 → H3 without H2)
+
+### Statistics and Data
+
+Include **at least one statistic or data point every 150-200 words**. Concrete numbers make content more authoritative and more likely to be cited by AI engines.
+
+Examples:
+
+- "Apache APISIX processes 18,000 requests per second per core with 0.2ms latency"
+- "Over 147,000 deployments across 5,200+ companies"
+- "100+ built-in plugins covering authentication, security, and traffic control"
+
+Always cite the source when referencing external statistics.
+
+### Internal Linking
+
+- Every page should include **at least 2 internal links** to related content
+- Use descriptive anchor text, not "click here" or "learn more"
+  - Good: `[rate limiting plugin documentation](/docs/apisix/plugins/limit-req/)`
+  - Bad: `[click here](/docs/apisix/plugins/limit-req/)`
+- Link from new pages to relevant existing content
+- Use relative paths for internal links
+
+### FAQ Sections
+
+For Learning Center articles, include a FAQ section at the end with 3-5 questions:
+
+```markdown
+## Frequently Asked Questions
+
+### What is the difference between an API gateway and a load balancer?
+
+[Concise, direct answer in 2-3 sentences]
+
+### Do I need an API gateway for microservices?
+
+[Concise, direct answer]
+```
+
+FAQ content is highly valued by AI search engines and can appear as rich results in Google SERPs.
+
+## Images
+
+- **Alt text is mandatory**: Every image must have descriptive alt text
+  - Good: `alt="Apache APISIX architecture diagram showing request flow from client through gateway to upstream services"`
+  - Bad: `alt="diagram"` or `alt=""`
+- Include explicit `width` and `height` attributes
+- Use `loading="lazy"` for below-the-fold images
+- Use WebP or AVIF formats when possible
+
+## Blog Posts
+
+### Evergreen Content
+
+- Avoid time-relative phrases like "recently" or "last month"
+- Use absolute dates: "In March 2026" instead of "last quarter"
+- Update posts when information becomes outdated (and update the `date` in frontmatter)
+
+### Blog Post Metadata
+
+```yaml
+---
+title: "Descriptive Title With Primary Keyword"
+authors:
+  - name: Author Name
+description: "120-160 character description"
+tags: [relevant, tags]
+image: /path/to/og-image.png  # Required for social sharing
+---
+```
+
+## Technical SEO Checklist
+
+Before submitting a PR that adds or modifies content pages:
+
+- [ ] Title tag is 50-60 characters with primary keyword near the front
+- [ ] Meta description is 120-160 characters and accurately describes the page
+- [ ] Only one H1 per page
+- [ ] Heading hierarchy is logical (H1 > H2 > H3, no skipped levels)
+- [ ] At least 2 internal links to related content
+- [ ] All images have descriptive alt text
+- [ ] Opening paragraph directly answers the page topic (answer-first)
+- [ ] At least 1 statistic or data point per 200 words
+- [ ] No duplicate content with existing pages
+- [ ] Blog posts have an `image` field for social sharing
@@ -0,0 +1,131 @@
+---
+title: "API Gateway Security: Threats, Best Practices & Implementation"
+description: "Learn how to secure your API gateway against common threats. Covers authentication, authorization, rate limiting, WAF, IP filtering, and zero-trust architecture."
+slug: api-gateway-security
+date: 2026-04-14
+tags: [security, api-gateway, best-practices]
+hide_table_of_contents: false
+---
+
+API gateway security is the practice of protecting your API infrastructure at the edge by enforcing authentication, authorization, rate limiting, and traffic filtering before requests reach backend services. A properly secured gateway reduces attack surface, prevents data breaches, and ensures compliance across every API endpoint in your organization.
+
+## Why API Gateway Security Matters
+
+APIs have become the primary attack vector for modern applications. According to the OWASP API Security Top 10 (2023 edition), broken object-level authorization and broken authentication remain the two most critical API vulnerabilities, affecting organizations across every industry. The explosive growth of API-first architectures has created an equally explosive growth in API-targeted attacks.
+
+The cost of getting API security wrong is substantial, as breaches involving API vulnerabilities tend to take longer to identify and contain and carry significant financial impact. The API gateway sits at a unique vantage point: it processes every inbound request, making it the single most effective location to enforce security policies consistently.
+
+## Common API Threats
+
+Understanding the threat landscape is essential for building an effective defense. The following categories represent the most frequent and damaging attack patterns targeting APIs today.
+
+### Broken Object-Level Authorization (BOLA)
+
+BOLA attacks exploit weak authorization checks to access resources belonging to other users. An attacker modifies object identifiers in API requests (for example, changing `/users/123/orders` to `/users/456/orders`) to retrieve unauthorized data. BOLA remains one of the most exploited API vulnerability classes, particularly in organizations where API management and authorization enforcement have not kept pace with API proliferation.
+
+### Injection Attacks
+
+SQL injection, NoSQL injection, and command injection remain persistent threats. Attackers embed malicious payloads in query parameters, headers, or request bodies. Despite being a well-known vulnerability class, injection attacks continue to appear frequently in web application security assessments.
+
+### Broken Authentication
+
+Weak or improperly implemented authentication mechanisms allow attackers to assume legitimate user identities. Common failures include missing token validation, weak password policies, credential stuffing vulnerabilities, and improper session management. Credential stuffing attacks account for billions of login attempts monthly across the internet.
+
+### Excessive Data Exposure
+
+APIs frequently return more data than the client needs, relying on the frontend to filter sensitive fields. Attackers bypass the frontend and consume raw API responses directly, gaining access to data never intended for display. This over-exposure is especially dangerous in mobile applications where API traffic is easily intercepted.
+
+### Rate Limit Bypass
+
+Without proper rate limiting, attackers can launch brute-force attacks, denial-of-service campaigns, and credential enumeration at scale. Automated bot traffic constitutes a significant portion of all internet traffic, and much of it targets API endpoints specifically.
+
+## Security Layers at the Gateway
+
+A defense-in-depth approach applies multiple security controls at the gateway layer, each addressing a distinct category of risk.
+
+### Authentication
+
+The gateway should verify identity before any request reaches a backend service. Common mechanisms include JWT validation, OAuth 2.0 token introspection, API key verification, and mutual TLS (mTLS) for service-to-service communication. Centralizing authentication at the gateway eliminates the risk of inconsistent enforcement across individual services.
+
+### Authorization
+
+Beyond verifying identity, the gateway must enforce access control. Role-based access control (RBAC), attribute-based access control (ABAC), and scope-based authorization ensure that authenticated users can only access resources and operations they are permitted to use. Fine-grained authorization at the gateway prevents BOLA vulnerabilities at scale.
+
+### Rate Limiting and Throttling
+
+Rate limiting protects backend services from abuse and ensures fair resource allocation. Effective rate limiting operates at multiple granularities: per consumer, per route, per IP address, and globally. A substantial share of traffic on the average website comes from bots, and rate limiting is the first line of defense against automated abuse.
+
+### IP Restriction
+
+IP allowlists and denylists provide coarse-grained access control. While not sufficient as a sole security measure, IP restriction is valuable for restricting administrative endpoints, limiting partner API access to known address ranges, and blocking traffic from regions associated with attack activity.
+
+### WAF and CORS
+
+A Web Application Firewall (WAF) at the gateway layer inspects request payloads for known attack patterns. CORS policies prevent unauthorized cross-origin requests from browser-based clients. Together, they address both server-side injection attacks and client-side cross-origin abuse.
+
+### TLS Termination
+
+TLS termination at the gateway ensures that all client-to-gateway traffic is encrypted. The gateway handles certificate management, cipher suite configuration, and protocol version enforcement, relieving backend services of this operational burden. The vast majority of web traffic now uses HTTPS, and TLS is considered a baseline requirement for any production API.
+
+### Request Validation
+
+Schema-based request validation rejects malformed or oversized payloads before they reach backend services. Validating request structure, data types, and content length at the gateway prevents injection attacks and reduces the attack surface of downstream services.
+
+## Zero-Trust API Architecture
+
+Zero-trust architecture assumes that no request is inherently trustworthy, regardless of its origin. Every API call must be authenticated, authorized, and validated, whether it arrives from the public internet, an internal service, or a trusted partner.
+
+At the gateway layer, zero-trust principles translate into several concrete practices. Every request carries verifiable identity credentials. Authorization is evaluated per request rather than per session. Network location (internal vs. external) does not confer implicit trust. All traffic is encrypted, including east-west service-to-service communication.
+The API gateway enables zero-trust by serving as a policy enforcement point. It validates tokens, checks permissions, and applies security policies uniformly across all traffic, creating a consistent security boundary regardless of the underlying network topology.
+
+## Security Best Practices
+
+The following practices represent a comprehensive approach to API gateway security that organizations should adopt incrementally based on risk profile.
+
+1. **Enforce authentication on every endpoint.** No API route should be accessible without verified identity. Use JWTs with short expiration times and validate signatures on every request.
+
+2. **Implement least-privilege authorization.** Grant the minimum permissions required for each consumer. Default to deny and require explicit grants for sensitive operations.
+
+3. **Apply rate limiting at multiple levels.** Configure per-consumer, per-route, and global rate limits. Use sliding window algorithms to prevent burst abuse while accommodating legitimate traffic spikes.
+
+4. **Validate all request inputs.** Enforce request schema validation at the gateway. Reject payloads that exceed expected sizes, contain unexpected fields, or fail type checks.
+
+5. **Use mutual TLS for service-to-service calls.** Encrypt and authenticate all internal traffic. Rotate certificates automatically and enforce certificate validation on every connection.
+
+6. **Enable WAF rules for known attack patterns.** Deploy rulesets targeting SQL injection, XSS, and command injection. Update rules regularly to address emerging attack vectors.
+
+7. **Log and audit all security events.** Capture authentication failures, authorization denials, rate limit triggers, and WAF blocks. Feed security logs into a SIEM for correlation and alerting.
+
+8. **Rotate credentials and secrets regularly.** Automate API key rotation, certificate renewal, and token signing key rotation. Never embed secrets in client-side code or version control.
+
+9. **Restrict administrative API access.** Protect management APIs with strong authentication, IP restrictions, and separate credentials from data-plane APIs.
+
+10. **Conduct regular security assessments.** Perform API-specific penetration testing, not just general web application assessments. The OWASP API Security Testing Guide provides a structured methodology.
+
+## How Apache APISIX Secures APIs
+
+Apache APISIX provides a comprehensive set of security plugins that implement each layer of the defense-in-depth model described above.
+
+For **IP-based access control**, the [ip-restriction plugin](/docs/apisix/plugins/ip-restriction/) supports allowlists and denylists at the route level, enabling fine-grained control over which addresses can reach specific endpoints.
+
+**Cross-origin resource sharing** is managed through the [CORS plugin](/docs/apisix/plugins/cors/), which configures allowed origins, methods, and headers to prevent unauthorized cross-origin requests from browser clients.
+
+**CSRF protection** is available through the [CSRF plugin](/docs/apisix/plugins/csrf/), which generates and validates CSRF tokens to prevent cross-site request forgery attacks on state-changing API operations.
+
+For **mutual TLS**, APISIX supports [mTLS configuration](/docs/apisix/mtls/) for both client-to-gateway and gateway-to-upstream connections, ensuring encrypted and mutually authenticated communication at every hop.
+
+APISIX also supports JWT authentication, key authentication, OpenID Connect, rate limiting with multiple algorithms, and request body validation. The plugin architecture enables security policies to be composed per route, allowing teams to apply exactly the controls each endpoint requires without over- or under-securing traffic.
+
+## FAQ
+
+### What is the difference between API gateway security and API security?
+
+API security is the broad discipline of protecting APIs across their entire lifecycle, including design, development, testing, and runtime. API gateway security specifically refers to the security controls enforced at the gateway layer during runtime, such as authentication, rate limiting, and input validation. The gateway is one component of a comprehensive API security strategy, not a replacement for secure coding practices and security testing.
+
+### Should I terminate TLS at the API gateway or at the backend service?
+
+Terminate TLS at the gateway for client-facing connections. This centralizes certificate management and offloads cryptographic processing from backend services. For traffic between the gateway and upstream services, use mTLS to maintain encryption and mutual authentication throughout the request path. This approach balances operational simplicity with end-to-end security.
+
+### How many rate limiting layers should an API gateway enforce?
+
+Apply at least three layers: a global rate limit to protect overall infrastructure capacity, a per-consumer limit to prevent any single client from monopolizing resources, and per-route limits for endpoints with expensive backend operations. Use sliding window or leaky bucket algorithms rather than fixed windows to provide smoother throttling behavior and prevent burst abuse at window boundaries.