T326697: Harden API Gateway in preparation for RESTbase deprecation service migration needs a framing strategy to provide guidance for the efforts.
Review and prioritize the currently known tasks required for RESTbase deprecation:
T326321: API Gateway: add security headers
T326320: MW REST: add security headers
T326326: Re-evaluate security header rules for API responses
T326324: Node services should share code and configuration for security headers
T325827: AQS 2.0 Response Headers - resolve differences with production
T308424: Determine http cache control and active purging for REST endpoints serving parsoid output
"Regarding the AQS headers task, at least, my feeling is that it is less critical to have an implemented solution in a huge hurry, but that it would be helpful to identify what each layer is going to be responsible for. That would give us the freedom to plan/schedule work for whatever ends up at the service/scaffolding layer."
"restbase enforces specific security headers for html/svg content (that affects parsoid, PCS, and mathoid), other security headers for non-html/svg content and common headers for every endpoint. Ideally, the apps shouldn’t care about these (api gateway should take care of it?) and specific configurations that need to override default security headers should be centralized in the deployment-charts repo."
T324200: Handle edge cache invalidation for the api gateway
T324200: Handle edge cache invalidation for the api gateway