Recommended security for backend services

What options are available to secure the communication between Tyk and downstream services?

  • Mutual SSL using client and server side certificates?
  • Pass-though JWT and have the downstream service verify the signature (seems double to me)?
  • … suggestions?

Many thanks!


1 Like

Not yet, we get asked that a lot

You could do this, it’s computationally expensive though

The cheapest and easiest thing to do is to end-to-end SSL the connection for one, and then also have tyk inject a shared secret into all upstream requests using the global request header injector, then have the service check for the shared secret to ensure the request originated from Tyk.

Thanks Martin! Is support for mutual SSL on the roadmap today?

It’s in there somewhere… :-/ I don;t think it will make the cut for 2.3 though.