- All requests (except public endpoints) require valid JWT tokens
- Tokens validated against Identity Service's JWK Set
- Automatic role-based access control (RBAC)
- Token expiration and signature verification
- Environment-based configuration - No hardcoded values
- Explicit header allowlist - No wildcard (
*) in production - Credentials support - Properly configured for cookie/token auth
- Preflight caching - Reduces OPTIONS requests
- Distributed rate limiting using Redis
- Per-user and per-IP limits to prevent abuse
- Token bucket algorithm for smooth request flow
- Graceful degradation - Fails open if Redis is down
- HSTS - Enforces HTTPS usage
- CSP - Prevents XSS attacks
- X-Frame-Options - Prevents clickjacking
- XSS Protection - Browser-level protection
- Prevents cascade failures when services are down
- Automatic fallback responses
- Self-healing with half-open state
- Configurable failure thresholds
- Unique correlation ID for distributed tracing
- Sanitized logging (tokens redacted)
- Request duration tracking
- Essential for debugging production issues
# Exceed rate limit
for i in {1..150}; do
curl http://localhost:9090/api/stalls
done