Authentication & Security
Boltic Gateway provides a powerful and flexible security model to ensure that every request passing through the gateway can be authenticated, validated, and sanitized—before it reaches your downstream services.
Security and middleware enforcement are built to be modular, allowing configuration at both the global level (applies to all routes) and path-specific level (applies only to selected routes). This enables precise control over how and where security policies are applied.
Middleware Types
The following middleware types are supported out of the box, each designed to handle specific security and validation use cases:
| Middleware | Description |
|---|---|
| Header Removal | Removes sensitive or unnecessary headers before forwarding the request. |
| Request Validation | Validates payload schema (e.g., JSON body) against expected structures. |
| Basic Authentication | Authenticates incoming requests using base64-encoded username/password. |
| Request Timeout | Aborts the request if it exceeds a configured duration (e.g., 5s). |
| Header Injection | Injects static or dynamic headers (e.g., trace IDs, client info). |
| JSON Threat Protection | Guards against malicious JSON payloads (e.g., deeply nested structures). |
| XML Threat Protection | Mitigates common XML attacks such as XXE and entity expansion. |
| API Token Authentication | Validates requests using pre-configured API tokens (from header/query/body). |
| CORS | Adds CORS headers dynamically for cross-origin support. |
| JWT Authentication | Validates signed JWTs and extracts claims for use in routing/middleware. |
 |
|---|
 |
|---|
Middleware Scope
-
Global Middleware: Applies to all routes within a gateway. Ideal for shared behaviors like authentication, logging, or threat protection.
-
Path-Level Middleware: Applied to specific routes only, allowing more granular control over security enforcement.
Auth Key Sanitization
When any authentication middleware (e.g., API Token, JWT, Basic Auth) is used:
-
The gateway will automatically strip the authentication token/key from the request before passing it downstream.
-
This applies to tokens present in:
- Headers
- Query Parameters
- Cookies
- Request Body
This ensures that sensitive authentication data does not leak to downstream services.
Query Parameter Handling
- Query parameters are preserved and forwarded downstream by default.
- However, if the request uses API Token Authentication and the token is passed via a query parameter, that token will be removed before forwarding to protect against token leakage.
Best Practices
- Apply global middleware for consistent security posture across all endpoints (e.g., CORS, threat protection).
- Use path-level overrides for route-specific logic like custom timeouts or different auth types.
- Enable JWT or API Token Authentication for secure multi-tenant routing.
- Sanitize sensitive data (e.g., auth tokens, API keys) using Header Removal or built-in stripping mechanisms.
With these flexible authentication and security capabilities, Boltic Gateway empowers you to enforce fine-grained control and enterprise-grade protection—while keeping your downstream services clean, fast, and secure.