{"id":33178969,"url":"https://github.com/The-OAG-Development-Project/Application-Gateway","last_synced_at":"2025-11-20T21:03:05.917Z","repository":{"id":38442696,"uuid":"304585873","full_name":"The-OAG-Development-Project/Application-Gateway","owner":"The-OAG-Development-Project","description":"OWASP Application Gateway is an HTTP proxy that handles Oauth2 authentication and session management","archived":false,"fork":false,"pushed_at":"2025-05-16T12:44:46.000Z","size":4010,"stargazers_count":85,"open_issues_count":13,"forks_count":4,"subscribers_count":6,"default_branch":"main","last_synced_at":"2025-08-08T16:44:13.953Z","etag":null,"topics":["gateway","iam","reverse-proxy","security","spring-boot"],"latest_commit_sha":null,"homepage":"https://owasp.org/www-project-application-gateway/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/The-OAG-Development-Project.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2020-10-16T09:50:44.000Z","updated_at":"2025-06-19T07:06:29.000Z","dependencies_parsed_at":"2023-12-20T07:36:31.986Z","dependency_job_id":"44f8cf20-366a-4b5e-93ab-51e2357cd84a","html_url":"https://github.com/The-OAG-Development-Project/Application-Gateway","commit_stats":null,"previous_names":["the-oag-development-project/application-gateway"],"tags_count":20,"template":false,"template_full_name":null,"purl":"pkg:github/The-OAG-Development-Project/Application-Gateway","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/The-OAG-Development-Project%2FApplication-Gateway","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/The-OAG-Development-Project%2FApplication-Gateway/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/The-OAG-Development-Project%2FApplication-Gateway/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/The-OAG-Development-Project%2FApplication-Gateway/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/The-OAG-Development-Project","download_url":"https://codeload.github.com/The-OAG-Development-Project/Application-Gateway/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/The-OAG-Development-Project%2FApplication-Gateway/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":285511775,"owners_count":27184237,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-11-20T02:00:05.334Z","response_time":54,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["gateway","iam","reverse-proxy","security","spring-boot"],"created_at":"2025-11-16T03:00:36.817Z","updated_at":"2025-11-20T21:03:05.912Z","avatar_url":"https://github.com/The-OAG-Development-Project.png","language":"Java","funding_links":[],"categories":["API网关"],"sub_categories":[],"readme":"# OWASP Application Gateway\n\n[![OWASP Incubator](https://img.shields.io/badge/owasp-incubator-blue.svg)](https://owasp.org/www-project-application-gateway/)\n[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0)\n![GitHub release (latest by date including pre-releases)](https://img.shields.io/github/v/release/gianlucafrei/nellygateway)\n[CI/CD](https://github.com/The-OAG-Development-Project/Application-Gateway/actions?query=workflow%3ACI%2FCD)\n\n🏗️ **OWASP Application Gateway is work-in-progress. No productive version has been released yet.**\n\n\n\u003ca href=\"https://owasp.org/www-project-application-gateway/\"\u003e\u003cimg src=\"https://github.com/The-OAG-Development-Project/Application-Gateway/blob/main/doc/pictures/Banner.png\" width=\"500\" /\u003e\u003c/a\u003e\n\n\u003ca href=\"https://owasp.org/www-project-application-gateway/\"\u003e\u003cimg src=\"https://owasp.org/www-policy/branding-assets/OWASP-Combination-mark-r.png\" width=\"150\" /\u003e\u003c/a\u003e\n\nOWASP Application Gateway is an HTTP reverse proxy that sits between your web application and the client and handles Oauth2 login and session management. For you, as a developer, OWASP Application Gateway removes the hassle to implement complicated oauth2 logic in the backend and frontend so you can focus totally on your applications logic.\n\n\u003cimg alt=\"Overview Picture\" src=\"https://github.com/The-OAG-Development-Project/Application-Gateway/blob/main/doc/OAG-Overrview.png?raw=true\" width=\"500\" /\u003e\n\n## Table of Contents\n\n- [OWASP Application Gateway](#owasp-application-gateway)\n  - [Table of Contents](#table-of-contents)\n  - [Design Principles](#design-principles)\n    - [Secure by default](#secure-by-default)\n    - [Stateless](#stateless)\n    - [Configuration based](#configuration-based)\n  - [Configuration File](#configuration-file)\n  - [How to run](#how-to-run)\n    - [Docker Release](#docker-release)\n    - [Jar release](#jar-release)\n    - [Compile it Yourself](#compile-it-yourself)\n  - [Functionality](#functionality)\n- [Mascot](#mascot)\n\n\n## Design Principles\n\n### Secure by default\n\nImplementing secure logins and session management became much more complicated within the last few years. OWASP Application Gateway aims to make this easier. Also, it implements many security hardening measures out of the box.\n\n### Stateless\n\nWherever possible, OWASP Application Gateway is stateless. All session information is stored within encrypted cookies on the clients. Stateless session management makes it a lot easier to deploy OWASP Application Gateway on multiple nodes.\n\n### Configuration based\n\nOWASP Application Gateway's behavior is controlled with a central configuration file describing all routes and Oauth2 integrations. This makes it easier to review the configuration for security issues and to debug on different environments. The deployment and scaling are straightforward; configure the config file's file path, and that's all you need to do.\n\n## Configuration File\n\nOWASP Application Gateway is fully configured with a simple and easy to understand configuration file. Details are documented in the [GitHub doc](https://github.com/The-OAG-Development-Project/Application-Gateway/wiki).\n\n```yaml\nhostUri: https://example.com\n\nroutes:\n  httpbin:\n    type: webapplication\n    path: /**\n    url: https://httpbin.org\n    allowAnonymous: yes\n  echo:\n    type: webapplication\n    path: /echo/**\n    url: https://nellydemoapp.azurewebsites.net\n    allowAnonymous: no\n\nloginProviders:\n  google:\n    type: oidc\n    with:\n      authEndpoint: https://accounts.google.com/o/oauth2/auth\n      tokenEndpoint: https://oauth2.googleapis.com/token\n      clientId: 372143946338-48et57uhmcumku7am3ocvva0idc7u0td.apps.googleusercontent.com\n      clientSecret: env:GOOGLE_CLIENT_SECRET\n      scopes: [ \"openid\", \"email\" ]\n\n  github:\n    type: github\n    with:\n      authEndpoint: https://github.com/login/oauth/authorize\n      tokenEndpoint: https://github.com/login/oauth/access_token\n      clientId: 163ad3b08c3829216ba1\n      clientSecret: env:GITHUB_CLIENT_SECRET\n      scopes: [ \"user\", \"email\" ]\n\nsecurityProfiles:\n  webapplication:\n    responseHeaders:\n      Server: \u003c\u003cremove\u003e\u003e\n      X-Powered-By: \u003c\u003cremove\u003e\u003e\n      X-XSS-Protection: 1;mode=block;\n      X-Frame-Options: SAMEORIGIN\n      X-Content-Type-Options: nosniff\n      Referrer-Policy: strict-origin-when-cross-origin\n      Content-Security-Policy: base-uri 'self';object-src 'self'\n      Permissions-Policy: geolocation=(),notifications=(),push=(),microphone=(),camera=(),speaker=(),vibrate=(),fullscreen=(),payment=(),usb=(),magnetometer=(),gyroscope=(),accelerometer=()\n      Strict-Transport-Security: max-age=31536000; includeSubDomains\n\n\ntraceProfile:\n  forwardIncomingTrace: true\n  maxLengthIncomingTrace: 254\n  acceptAdditionalTraceInfo: false\n  maxLengthAdditionalTraceInfo: 254\n  sendTraceResponse: true\n  type: w3cTraceContext\n```\n\n## How to run\n\nYou have three options on how to run OWASP Application Gateway:\n* There is an official docker image that just works out of the box. You need to mount the config file via docker volumes.\n* If you don't want to use docker, you can also download the released jar file. * Of course you can also build OWASP Application Gateway by yourself with Maven.\nNote, that in all cases this starts the OAG with a self-signed certificate (This means you will get warnings in your browser when connecting.) It is recommended you change the certificate according to: [Configure TLS](https://github.com/The-OAG-Development-Project/Application-Gateway/wiki/TLS-configuration-in-OAG).\n\n### Docker Release\n\nYou can find the Docker image at [Docker Hub](https://hub.docker.com/r/owasp/application-gateway/tags).\n\nDownload and Start:\n```bash\n# Download image of oag\ndocker pull owasp/application-gateway:main-SNAPSHOT\n\n# Download sample config and adapt it to your needs\ncurl https://raw.githubusercontent.com/The-OAG-Development-Project/Application-Gateway/refs/heads/main/oag/sample-config.yaml \u003e\u003e oag-config.yaml\nvim oag-config.yaml\n\n# Start the container\ndocker run -e OAG_CONFIG_PATH=/app/oag-config.yaml -v ${PWD}/oag-config.yaml:/app/oag-config.yaml owasp/application-gateway:main-SNAPSHOT\n```\n\n### Jar release\n\nPoint your browser to https://github.com/The-OAG-Development-Project/Application-Gateway/releases/latest\nDownload the oag*.zip from the Assets section.\n\n```bash\nunzip oag*.zip\ncd build/app\njava -jar oag.jar\n\n```\n\n### Compile it Yourself\n\nThe easiest way is to use Docker to build OWASP Application Gateway.\n\n```bash\ngit clone https://github.com/The-OAG-Development-Project/Application-Gateway.git\ncd Application-Gateway\ndocker build -t owasp/application-gateway:SNAPSHOT .\ndocker run -p 8080:8080 owasp/application-gateway:SNAPSHOT\n```\n\nIf you don't want to use Docker you can build the jar by yourself with Maven:\n\n```bash\ngit clone https://github.com/The-OAG-Development-Project/Application-Gateway.git\ncd Application-Gateway\ncd oag\nmvn package -DskipTests\njava -jar target/oag-exec.jar\n```\n\nYou may also use your IDE for building OAG. Please see [Setup OAG for development](https://github.com/The-OAG-Development-Project/Application-Gateway/wiki/Setup-for-OAG-development) for instructions using IntelliJ as an example.\n\n## Functionality\n\n- [x] TLS endpoint\n- [x] OpenID Connect Login with multiple providers\n- [x] Multiple Backend routes\n- [x] Authenticated routes\n- [x] Request Logging\n- [x] Add and remove response headers\n- [x] Secure, HTTP-only and same-site session cookies\n- [x] Forward id token to backend\n- [x] Upstream authentication with API key\n- [x] GitHub Login support\n- [x] Method whitelisting\n- [x] CSRF protection\n- [x] Rolling sessions\n- [x] W3C compliant request tracing\n\n\nIdeas:\n\n- [ ] Header whitelisting\n- [ ] Report URI Endpoint\n- [ ] Default configuration\n- [ ] ...\n\n# Mascot\n\n\u003cimg alt=\"Picture of cute elephant holding OAG banner.\" src=\"https://raw.githubusercontent.com/The-OAG-Development-Project/Application-Gateway/main/doc/pictures/Mascot.svg\" width=\"500\" /\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FThe-OAG-Development-Project%2FApplication-Gateway","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FThe-OAG-Development-Project%2FApplication-Gateway","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FThe-OAG-Development-Project%2FApplication-Gateway/lists"}