Hi Kareem,
Your best practices will depend on on your APIs and actual security requirements, but I agree in part with Navaneeth - at a minimum you should add cert-based security assertions; I am less enthusiastic about SSL or IP-based filtering, and I encourage you to build your service with both if you are able.
A typical flow looks like some combination of the following (with the relevant Gateway Policy in parentheses, if different from the bulleted item):
- Require SSL or TLS (Require SSL or TLS Transport)
- IP-based filtering assertions (Restrict access to IP Address Range)
- Require Credentials / Authenticate Against Identity Provider
- Require OAuth 2.0 Token
- API key enforcement (requires a few policy settings, but in general you should be setting up your API so that you can track usage, and this is enabled/supported by an API key; note that you can use this in lieu of some of the more restrictive credentials and authentication / authorization assertions if you wish)
- Rate Limiting with throttling and shaping (Apply Rate Limit)
This a good start, and all of these are very easy to implement on the Gateway.
Cheers,
-case-