CA API Gateway/Policies: How to Secure published REST API using Proven Best Practices? What are typical flow configurations?
Your best practices will depend on on your APIs and actual security requirements, but I agree in part with Navaneeth - at a minimum you should add cert-based security assertions; I am less enthusiastic about SSL or IP-based filtering, and I encourage you to build your service with both if you are able.
A typical flow looks like some combination of the following (with the relevant Gateway Policy in parentheses, if different from the bulleted item):
This a good start, and all of these are very easy to implement on the Gateway.
You can add cert based security assertions or IP based filtering assertions.
Thanks for the information Case. that's good information to start