WAF / Layer 7 Protection
External-facing API endpoints must have some sort of web application firewall / Layer 7 security mechanism in place. External endpoints are those invoked by end users. This doesn't include cloud-native services (e.g., calling the cloud's object storage or the cloud's APIs). This does not include data platform APIs that are strictly internal (if such things exist).
- Shell requires this