After you complete your service development, you need to consider how to deploy your service to the production with security in mind. In this section, we will discuss some of the security measurements that help you to prevent attacks from the Internet when you expose your service to the public.
Services built on top of light-4j is inherently secure than most platforms as we have a lot of middleware handlers to address cross-cutting concerns and a significant number of them are for security. That means the attack request must pass all security middleware handlers to reach your business logic. That being said, there are still a lot of extra mechanisms can be implemented to maximize your service security.
Please note that this article is for small to medium organizations that don’t have access to CDN and F5. For enterprise-level security, please contact our support team at [email protected]
In almost all scenarios, we are not going to expose our service to the Internet directly especially your service is deployed to the cloud orchestrated with Kubernetes. In fact, you cannot expose these services directly as they don’t have static IP and port number.
Most of our users are using light-router for their external access point which is deployed on a VM with a static IP on port 443 only. The light-router is responsible for security, service discovery, serving single page application, etc. For more information, please visit light-router document and light-router tutorial.
To prevent a DDoS attack, it is wise to hide the real IP address by leveraging some CND services. Cloudflare is one of the best, and it provides DNS service for free. Just move your domain DNS to Cloudflare, you can hide your IP address from the Internet. You can find a lot of information about security in the security tutorial.
There are a lot of security-related middleware handlers shipped in the light-platform, and you should consider enabling some of them on your light-router instance or your services. The following are the most commonly used.