Description
We are currently using multiple APIRules for service-specific exposure rather than a single unified APIRule for all microservices. This approach requires managing security headers individually per APIRule (per service), which significantly increases operational overhead and makes it challenging to maintain consistent security compliance across all services.
To address this challenge, we are exploring a centralized security header management approach by implementing headers at the Istio Gateway level using EnvoyFilter. This would enable us to manage security headers through a single, centralized configuration that automatically applies to all services.
Reasons
1. Reduced Operational Overhead
- Managing security headers per APIRule multiplies the configuration touchpoints
- Each service requires individual header configuration and maintenance
- Updates to security policies require changes across multiple APIRules
- Higher risk of configuration drift and inconsistencies
2. Improved Security Compliance
- Centralized configuration ensures uniform security header enforcement
- Eliminates gaps where individual services might have missing or outdated headers
- Easier to audit and verify compliance across all services
- Single source of truth for security header standards
3. Simplified Maintenance
- One configuration to update when security requirements change
- Reduced risk of human error from repetitive manual configurations
- Faster deployment of security patches and updates
- Clearer ownership and accountability for security header management
4. Better Scalability
- New services automatically inherit security headers without additional configuration
- No need to replicate security configurations when adding services
- Consistent behavior across the entire service mesh
Attachments
apiVersion: networking.istio.io/v1alpha3
kind: EnvoyFilter
metadata:
name: global-gateway-security-headers
namespace: istio-system
labels:
app.kubernetes.io/name: global-security
app.kubernetes.io/component: gateway-security
app.kubernetes.io/part-of: global
app.kubernetes.io/managed-by: helm
annotations:
description: "Global security headers for all services at gateway level"
security.compliance: "pentest-2026-01"
spec:
# Target the Istio ingress gateway pods
workloadSelector:
labels:
istio: ingressgateway
configPatches:
- applyTo: HTTP_FILTER
match:
# Apply to gateway context (inbound traffic from internet)
context: GATEWAY
listener:
filterChain:
filter:
name: "envoy.filters.network.http_connection_manager"
patch:
operation: MERGE
value:
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
response_headers_to_add:
- header:
key: "Strict-Transport-Security"
value: "max-age=31536000; includeSubDomains; preload"
append_action: OVERWRITE_IF_EXISTS_OR_ADD
...
Description
We are currently using multiple APIRules for service-specific exposure rather than a single unified APIRule for all microservices. This approach requires managing security headers individually per APIRule (per service), which significantly increases operational overhead and makes it challenging to maintain consistent security compliance across all services.
To address this challenge, we are exploring a centralized security header management approach by implementing headers at the Istio Gateway level using EnvoyFilter. This would enable us to manage security headers through a single, centralized configuration that automatically applies to all services.
Reasons
1. Reduced Operational Overhead
2. Improved Security Compliance
3. Simplified Maintenance
4. Better Scalability
Attachments