Included Policies Directory

Policies Included in Flex Gateway

Policy	Category	Summary
Basic Authentication: LDAP	Security	Allows access based on the basic authorization mechanism, with user-password defined on LDAP
Basic Authentication: Simple	Security	Allows access based on the basic authorization mechanism, with a single user-password
Client ID Enforcement	Compliance	Allows access only to authorized client applications
Cross-Origin Resource Sharing (CORS)	Compliance	Enables access to resources residing in external domains
External Authorization	Security	Authenticates requests with an external gRPC or HTTP authorization service
External Processing	Transformation	Sends the incoming HTTP requests or outgoing HTTP responses to an external gRPC service for additional processing
Header Injection	Transformation	Adds headers to a request or a response
Header Removal	Transformation	Removes headers from a request or a response
Health Check	Quality of Service	Monitors API upstream health at specific intervals
HTTP Caching	Quality of Service	Caches HTTP responses from an API implementation
IP Allowlist	Security	Allows a list or range of specified IP addresses to request access
IP Blocklist	Security	Blocks a single IP address or a range of IP addresses from accessing an API endpoint
JSON Threat Protection	Security	Protects against malicious JSON in API requests
JWT Validation	Security	Validates a JWT
Message Logging	Troubleshooting	Logs custom messages using information from incoming requests, responses from the backend, or information from other policies applied to the same API endpoint
OAuth 2.0 Token Introspection	Security	Allows access only to authorized client applications
OpenID Connect OAuth 2.0 Access Token Enforcement	Security	Allows access only to authorized client applications
Rate Limiting	Quality of Service	Monitors access to an API by defining the maximum number of requests processed within a period of time
Rate Limiting: SLA-based	Quality of Service	Monitors access to an API by defining the maximum number of requests processed within a timespan, based on SLAs
Schema Validation	Security	Validates incoming traffic against a supplied OAS3 schema
Spike Control	Quality of Service	Regulates API traffic
Traffic Management for Multiple Upstream Services	Quality of Service	Manages API instance traffic to multiple upstream services from a single consumer endpoint
Traffic Management for Multiple Upstream Services (Weighted)	Quality of Service	Manages API instance traffic to multiple upstream services from a single consumer endpoint, using weighted percentages
Transport Layer Security (TLS) - Inbound	Security	Enables authentication between a client and the API proxy
Transport Layer Security (TLS) - Outbound	Security	Enables two-way authentication between the API proxy and an upstream service

Policy

Category

Summary

Basic Authentication: LDAP

Security

Allows access based on the basic authorization mechanism, with user-password defined on LDAP

Basic Authentication: Simple

Security

Allows access based on the basic authorization mechanism, with a single user-password

Client ID Enforcement

Compliance

Allows access only to authorized client applications

Cross-Origin Resource Sharing (CORS)

Compliance

Enables access to resources residing in external domains

External Authorization

Security

Authenticates requests with an external gRPC or HTTP authorization service

External Processing

Transformation

Sends the incoming HTTP requests or outgoing HTTP responses to an external gRPC service for additional processing

Header Injection

Transformation

Adds headers to a request or a response

Header Removal

Transformation

Removes headers from a request or a response

Health Check

Quality of Service

Monitors API upstream health at specific intervals

HTTP Caching

Quality of Service

Caches HTTP responses from an API implementation

IP Allowlist

Security

Allows a list or range of specified IP addresses to request access

IP Blocklist

Security

Blocks a single IP address or a range of IP addresses from accessing an API endpoint

JSON Threat Protection

Security

Protects against malicious JSON in API requests

JWT Validation

Security

Validates a JWT

Message Logging

Troubleshooting

Logs custom messages using information from incoming requests, responses from the backend, or information from other policies applied to the same API endpoint

OAuth 2.0 Token Introspection

Security

Allows access only to authorized client applications

OpenID Connect OAuth 2.0 Access Token Enforcement

Security

Allows access only to authorized client applications

Rate Limiting

Quality of Service

Monitors access to an API by defining the maximum number of requests processed within a period of time

Rate Limiting: SLA-based

Quality of Service

Monitors access to an API by defining the maximum number of requests processed within a timespan, based on SLAs