On this page
Security posture
Review the following information about the security posture of Solo’s Gloo Gateway Envoy extensions.
For more information, see the Envoy threat model.
About the security posture
The security posture includes extensions for both the open source and Enterprise versions of Gloo Gateway. Each extension has the filter name and the classification of the filter’s security posture. The following table describes the security posture values.
Value | Description |
---|---|
data_plane_agnostic | Do not expose this extension to data plane attacks, for both untrusted downstreams and upstream services. |
requires_trusted_downstream_and_upstream | Use this extension only when both the downstream and upstream services are trusted. |
robust_to_untrusted_downstream | You can use these hardened filters only with untrusted downstream services. Do not use with untrusted upstream services, as these filters assume that the upstream services are trusted. |
robust_to_untrusted_downstream_and_upstream | You can use these hardened filters with both untrusted downstream and upstream services. |
unknown | Use these filters with your own security procedures. These filters have an unknown security posture. |
Security posture for extensions
Review the following open source and Enterprise security postures for Gloo Gateway Envoy extensions.
# Security posture for Gloo Gateway Envoy extensions
# This file includes information for both Open Source
# and Enterprise versions of Gloo Gateway.
# For more information, see the docs:
# https://docs.solo.io/gloo-edge/main/reference/security-posture/
#
# Options are:
# - data_plane_agnostic
# - requires_trusted_downstream_and_upstream
# - robust_to_untrusted_downstream
# - robust_to_untrusted_downstream_and_upstream
# - unknown
#
# ---OPEN SOURCE--
extensions:
- name: filters/http/aws_lambda
security_posture: robust_to_untrusted_downstream
- name: filters/http/nats/streaming
security_posture: robust_to_untrusted_downstream
- name: filters/http/transformation
security_posture: robust_to_untrusted_downstream
#
# ---ENTERPRISE---
extensions:
- name: filters/http/graphql
security_posture: robust_to_untrusted_downstream
- name: filters/http/json_grpc_transcoder
security_posture: unknown # this filter is not used; consider removing it.
- name: filters/http/modsecurity
security_posture: robust_to_untrusted_downstream
- name: filters/http/proxylatency
security_posture: robust_to_untrusted_downstream
- name: filters/http/sanitize
security_posture: robust_to_untrusted_downstream
- name: filters/http/solo_jwt_authn
security_posture: robust_to_untrusted_downstream
- name: filters/http/solo_xff_offset
security_posture: robust_to_untrusted_downstream
- name: filters/http/transformation_ee
security_posture: robust_to_untrusted_downstream
- name: filters/listener/proxy_protocol
security_posture: robust_to_untrusted_downstream_and_upstream
- name: graphql/resolvers
security_posture: robust_to_untrusted_downstream
- name: health_checkers/advanced_http
security_posture: requires_trusted_downstream_and_upstream
- name: transformers/xslt
security_posture: robust_to_untrusted_downstream
- name: transformers/aws_lambda
security_posture: robust_to_untrusted_downstream
- name: filters/http/aws_lambda
security_posture: robust_to_untrusted_downstream
- name: filters/http/nats/streaming
security_posture: robust_to_untrusted_downstream
- name: filters/http/cache
security_posture: robust_to_untrusted_downstream
- name: filters/http/cache/grpc
security_posture: robust_to_untrusted_downstream