Skip to main content


Security Hardening Reference

Infrastructure security is an important topic that organizations scrutinize to stay compliant to the latest regulatory and legal requirements. Understanding where and how sensitive information is stored is of paramount importance to implement robust security measures and safeguard against unauthorized access, data breaches, or malicious attacks in your organizations.


This document provides a reference detailing where sensitive information in API7 Enterprise is, how they are stored, and how they are protected.

Between Data Plane (DP) and Control Plane (CP)

The communication between DP and CP can be secured with tokens or mTLS.

  • When using tokens, tokens are PBKDF2 encrypted and saved to the database.
  • When using mTLS, CP only stores the server and CA certificates. It does not store the client certificate.

Control Plane (CP)

Database Connection Credentials

Database connection credentials are stored in the control plane's configuration files. They can also be stored in environment variables and injected into the configuration files.

Plugin Resources

Sensitive plugin fields in plugin configurations are specified in encrypted_fields in the plugin schema. Information in these fields are encrypted with AES256 and saved to the database.

The keyring used to encrypt sensitive information differs by gateway group and they are also encrypted before being saved to the database.

SSL Resources

For SSL resources, metadata are saved in plaintext while certificates are AES encrypted and saved to the database.

When viewing SSL resources using API or dashboard, you can only see the metadata.

Dashboard and DP Manager Connections

The communication between dashboard and DP manager uses HTTPS by default. If no certificates are configured, API7 will use self-signed certificates.


Sensitive information, such as passwords, are masked in audit logs before the logs are saved to the database. Any additional alteration to audit logs is forbidden.

User Credentials

User credentials, including username and password, as well as access token, are salted and PBKDF2 encrypted before being saved to the database.

Encryption Algorithms

In cases where the field should not be reversible, the encryption algorithm would be PBKDF2 with salt.

In cases where the field should be reversible, the encryption algorithm would be AES.

Data Plane (DP)

Between clients and API7 Enterprise, as well as API7 Enterprise and upstream services, you can optionally configure TLS or mTLS to secure the communication. Logo

API Management for Modern Architectures with Edge, API Gateway, Kubernetes, and Service Mesh.


API7 Cloud

SOC2 Type IRed Herring

Copyright © APISEVEN Ltd. 2019 – 2024. Apache, Apache APISIX, APISIX, and associated open source project names are trademarks of the

Apache Software Foundation