| Owner |
Classification |
Review Date |
Status |
| Security |
Confidential |
April 2027 |
Draft |
Scope
This threat model covers the Simpaisa API Gateway layer (KrakenD) and shared platform services including: API authentication and authorisation, rate limiting, webhook delivery, event bus (NSQ), workflow orchestration (Temporal), secret management, and the internal service mesh. It does not cover individual product domains — see the Pay-In, Pay-Out, Remittance, and Cards threat models for product-layer threats.
Architecture Overview
The API Gateway sits at the perimeter of all inbound API traffic. All external requests pass through KrakenD before reaching internal microservices. Internal service-to-service communication uses mTLS. Secrets are managed via a centralised vault. Events are published to NSQ; long-running operations are orchestrated via Temporal.
| Component |
Technology |
Trust Zone |
Exposure |
| API Gateway |
KrakenD |
DMZ |
Public internet |
| Authentication service |
RSA-SHA256 JWT |
Internal |
Via gateway only |
| Event bus |
NSQ |
Internal |
Internal only |
| Workflow engine |
Temporal |
Internal |
Internal only |
| Secret store |
ControlPlane.com |
Internal |
Internal only |
| Webhook delivery |
Custom (HMAC-SHA256 signed) |
DMZ |
Outbound to merchants |
| Service mesh |
mTLS (no service mesh proxy) |
Internal |
Internal only |
| Edge / CDN |
Cloudflare |
Perimeter |
Public internet |
Trust Boundaries
| Boundary |
Description |
Controls |
| Internet → Cloudflare |
All public traffic enters via Cloudflare edge |
WAF rules, DDoS mitigation, TLS 1.3 termination |
| Cloudflare → KrakenD |
Filtered traffic reaches the API gateway |
IP allowlist, mutual TLS optional, rate limiting |
| KrakenD → Internal services |
Gateway forwards to microservices |
JWT validation, scope enforcement, service identity |
| Internal → Secret store |
Services fetch secrets at runtime |
Service identity, least-privilege policies, audit logging |
| Platform → Merchant webhooks |
Outbound event delivery |
HMAC-SHA256 signatures, TLS, retry with backoff |
STRIDE Threat Register
Spoofing
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| GW-S-01 |
JWT token forgery or replay |
API Gateway |
Attacker obtains a valid JWT (expired or stolen) and replays it against the API |
Unauthorised API access; data exfiltration |
Medium |
🟠 High |
Short JWT TTL (15 min); jti claim uniqueness check; token revocation list; RSA-SHA256 signing (ADR-API-002) |
Low |
| GW-S-02 |
API key impersonation |
Merchant authentication |
Attacker obtains merchant API key via phishing, code leak, or insider access |
Fraudulent transactions; data access under merchant identity |
Medium |
🟠 High |
API key scoping; IP allowlisting per key; anomaly detection on key usage patterns |
Medium |
| GW-S-03 |
Webhook endpoint impersonation |
Webhook delivery |
Attacker intercepts or spoofs the merchant's webhook endpoint to receive event data |
Sensitive payment event data exposure |
Low |
🟡 Medium |
HMAC-SHA256 payload signing (ADR-SECURITY-005); merchants must validate signature before processing |
Low |
| GW-S-04 |
Internal service identity spoofing |
Service mesh |
Compromised service forges requests as a different internal service |
Privilege escalation within internal network |
Low |
🟡 Medium |
mTLS between all internal services (ADR-SECURITY-035); certificate rotation; ControlPlane.com zero-trust (ADR-SECURITY-012) |
Low |
Tampering
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| GW-T-01 |
Request payload manipulation via proxy |
API Gateway → service |
MITM attack modifies transaction amount or destination account in transit |
Financial loss; fraudulent transactions |
Low |
🟠 High |
TLS 1.3 end-to-end; payload integrity hashing on financial fields; idempotency keys (ADR-API-008) |
Low |
| GW-T-02 |
Webhook payload tampering |
Outbound webhooks |
Network attacker modifies webhook payload in transit to merchant |
Merchant processes incorrect event data |
Low |
🟠 High |
HMAC-SHA256 signature on full payload; TLS; merchant-side signature validation required |
Low |
| GW-T-03 |
Secret injection into secret store |
ControlPlane.com |
Insider or compromised service writes malicious secret values (e.g., fake private keys) |
Cryptographic compromise; platform-wide impact |
Low |
🔴 Critical |
Write-access policies; dual approval for secret rotation; audit logging on all secret operations; immutable audit trail (ADR-SECURITY-048) |
Medium |
| GW-T-04 |
NSQ message tampering |
Event bus |
Compromised internal service injects or modifies events on the NSQ bus |
Downstream service processes corrupt event data |
Low |
🟡 Medium |
mTLS on NSQ consumers/producers; event schema validation; dead letter queue monitoring (ADR-API-026) |
Low |
Repudiation
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| GW-R-01 |
API action denial by merchant |
Transaction record |
Merchant denies initiating a transaction or API call |
Dispute resolution failure; financial and reputational loss |
Medium |
🟠 High |
Immutable audit trail for all API calls (ADR-SECURITY-048); signed request logs; idempotency key retention |
Low |
| GW-R-02 |
Audit log deletion or modification |
Audit trail |
Insider or attacker deletes or modifies API access logs to cover tracks |
Forensic investigation failure; compliance violation |
Low |
🔴 Critical |
Write-once log storage; log integrity hashing; SIEM ingestion with tamper alerts; separation of log write and delete permissions |
Medium |
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| GW-I-01 |
Verbose error responses leaking internals |
API error handling |
Attacker triggers errors to enumerate internal service names, stack traces, or data schemas |
Attack surface mapping; targeted exploitation |
High |
🟠 High |
Unified error response schema (ADR-API-006); no stack traces in production responses; generic error messages externally |
Low |
| GW-I-02 |
Secret exfiltration from secret store |
ControlPlane.com |
Compromised service or insider reads secrets beyond their scope |
Cryptographic key compromise; platform-wide breach |
Low |
🔴 Critical |
Least-privilege secret policies; service identity-scoped access; secret access audit logging; rotation on suspected compromise |
Medium |
| GW-I-03 |
Rate limit probing to enumerate valid resources |
API Gateway |
Attacker sends systematic requests to determine which merchant IDs, account IDs, or resources exist |
Customer data enumeration |
High |
🟠 High |
Rate limiting per key and per IP (ADR-API-027); opaque resource identifiers (UUIDs); consistent response timing |
Low |
| GW-I-04 |
Log data containing PII |
Application logs |
Debug logging inadvertently captures card numbers, account details, or personal data |
PII breach; regulatory violation (PDPA, GDPR-equivalent) |
Medium |
🟠 High |
Structured logging standard enforces PII field masking; log review in CI pipeline; DLP scanning on log aggregator |
Low |
Denial of Service
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| GW-D-01 |
Volumetric DDoS against API Gateway |
KrakenD / Cloudflare edge |
Coordinated high-volume request flood targeting the public API endpoint |
API unavailability; merchant transaction failures; SLA breach |
High |
🔴 Critical |
Cloudflare DDoS mitigation (ADR-SECURITY-037); auto-scaling; rate limiting at edge; WAF challenge rules |
Medium |
| GW-D-02 |
Slow-loris / connection exhaustion |
API Gateway |
Attacker holds many connections open with slow requests, exhausting gateway connection pool |
Legitimate requests rejected; API unavailability |
Medium |
🟠 High |
Request timeout enforcement in KrakenD; connection pool limits; Cloudflare bot management |
Low |
| GW-D-03 |
NSQ queue flooding |
Event bus |
Compromised or misbehaving internal service floods NSQ with events, causing consumer lag |
Delayed transaction processing; reconciliation failures |
Low |
🟡 Medium |
Per-producer rate limits on NSQ; queue depth alerting; circuit breakers on consumers |
Low |
| GW-D-04 |
Temporal workflow bomb |
Workflow engine |
Attacker or bug triggers thousands of long-running Temporal workflows, exhausting worker capacity |
Payment processing delays; workflow queue backlog |
Low |
🟡 Medium |
Workflow concurrency limits; worker auto-scaling; workflow rate limiting at submission |
Low |
Elevation of Privilege
| ID |
Threat |
Target |
Attack Vector |
Impact |
Likelihood |
Risk |
Mitigating Controls |
Residual Risk |
| GW-E-01 |
JWT scope escalation |
API authorisation |
Attacker manipulates JWT claims to elevate scope (e.g., read → write, merchant → admin) |
Unauthorised write access; data manipulation |
Low |
🔴 Critical |
Server-side scope validation; JWT signed with RSA private key (not shared secret); scope never derived from token payload alone |
Low |
| GW-E-02 |
Path traversal to bypass gateway routing |
KrakenD routing |
Attacker crafts URL to bypass gateway and reach internal services directly |
Access to unauthenticated internal endpoints |
Low |
🔴 Critical |
Internal services bound to localhost/internal network only; no direct internet exposure; network segmentation (ADR-INFRA-072) |
Low |
| GW-E-03 |
Service account privilege escalation |
Internal services |
Compromised service uses its mTLS identity to call endpoints beyond its designed scope |
Cross-domain data access; fraud logic bypass |
Low |
🟠 High |
Authorisation enforcement at service level (not only gateway); ControlPlane.com zero-trust policies; service mesh policy enforcement |
Low |
Risk Summary
| Risk Level |
Count |
Threats |
| 🔴 Critical |
5 |
GW-T-03, GW-R-02, GW-I-02, GW-D-01, GW-E-01, GW-E-02 |
| 🟠 High |
9 |
GW-S-01, GW-S-02, GW-T-01, GW-T-02, GW-R-01, GW-I-01, GW-I-03, GW-I-04, GW-D-02, GW-E-03 |
| 🟡 Medium |
4 |
GW-S-03, GW-S-04, GW-T-04, GW-D-03, GW-D-04 |