Here is the threat model of Apache APISIX, which is relative to our developers and operators.
As a proxy, Apache APISIX needs to be able to run in front of untrusted downstream traffic.
However, some features need to assume the downstream traffic is trusted. They should be either not exposed to the internet by default (for example, listening to 127.0.0.1), or disclaim in the doc explicitly.
As Apache APISIX is evolving rapidly, some newly added features may not be strong enough to defend against potential attacks. Therefore, we need to divide the features into two groups: premature and mature ones. Features that are just merged in half a year or are declared as experimental are premature. Premature features are not fully tested on the battlefield and are not covered by the security policy normally.
Additionally, we require the components below are trustable:
As the user: First of all, don't expose the components which are required to be trustable to the internet, including the control plane (Dashboard or something else) and the configuration relay mechanism (etcd or etcd adapter or something else).
Then, harden the trusted components. For example,
As the developer: We should keep security in mind, and validate the input from the client before use.
As the maintainer: We should keep security in mind, and review the code line by line. We are open to discussion from the security researchers.