{"id":4848,"date":"2026-02-09T13:44:44","date_gmt":"2026-02-09T10:44:44","guid":{"rendered":"https:\/\/www.dchost.com\/blog\/api-guvenligi-icin-hosting-mimarisi-jwt-cors-rate-limiting-ve-waf\/"},"modified":"2026-02-09T13:44:44","modified_gmt":"2026-02-09T10:44:44","slug":"api-guvenligi-icin-hosting-mimarisi-jwt-cors-rate-limiting-ve-waf","status":"publish","type":"post","link":"https:\/\/www.dchost.com\/blog\/api-guvenligi-icin-hosting-mimarisi-jwt-cors-rate-limiting-ve-waf\/","title":{"rendered":"API G\u00fcvenli\u011fi \u0130\u00e7in Hosting Mimarisi: JWT, CORS, Rate Limiting ve WAF"},"content":{"rendered":"<div class=\"dchost-blog-content-wrapper\"><div id=\"toc_container\" class=\"toc_transparent no_bullets\"><p class=\"toc_title\">\u0130&ccedil;indekiler<\/p><ul class=\"toc_list\"><li><a href=\"#API_Guvenligi_Icin_Dogru_Hosting_Mimarisi_Neden_Kritik\"><span class=\"toc_number toc_depth_1\">1<\/span> API G\u00fcvenli\u011fi \u0130\u00e7in Do\u011fru Hosting Mimarisi Neden Kritik?<\/a><\/li><li><a href=\"#Mimari_Temel_API_Sunucusu_Reverse_Proxy_WAF_ve_Ag_Segmentasyonu\"><span class=\"toc_number toc_depth_1\">2<\/span> Mimari Temel: API Sunucusu, Reverse Proxy, WAF ve A\u011f Segmentasyonu<\/a><ul><li><a href=\"#TLS_Zorunlulugu_ve_HTTP_Guvenlik_Basliklari\"><span class=\"toc_number toc_depth_2\">2.1<\/span> TLS Zorunlulu\u011fu ve HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Kimlik_Dogrulama_ve_Yetkilendirme_Katmani_JWT_Tasarimini_Dogru_Kurmak\"><span class=\"toc_number toc_depth_1\">3<\/span> Kimlik Do\u011frulama ve Yetkilendirme Katman\u0131: JWT Tasar\u0131m\u0131n\u0131 Do\u011fru Kurmak<\/a><ul><li><a href=\"#JWT_Yapisi_Hangi_Alanlar_Hangi_Sureler\"><span class=\"toc_number toc_depth_2\">3.1<\/span> JWT Yap\u0131s\u0131: Hangi Alanlar, Hangi S\u00fcreler?<\/a><\/li><li><a href=\"#Access_Token_Refresh_Token_Ayrimi\"><span class=\"toc_number toc_depth_2\">3.2<\/span> Access Token \u2013 Refresh Token Ayr\u0131m\u0131<\/a><\/li><li><a href=\"#JWT_Anahtar_Yonetimi_ve_Rotasyon\"><span class=\"toc_number toc_depth_2\">3.3<\/span> JWT Anahtar Y\u00f6netimi ve Rotasyon<\/a><\/li><\/ul><\/li><li><a href=\"#CORS_Mimarisi_Frontend_API_ve_Domain_Stratejisi\"><span class=\"toc_number toc_depth_1\">4<\/span> CORS Mimarisi: Frontend, API ve Domain Stratejisi<\/a><ul><li><a href=\"#Domain_ve_Origin_Stratejisi\"><span class=\"toc_number toc_depth_2\">4.1<\/span> Domain ve Origin Stratejisi<\/a><\/li><li><a href=\"#CORS_Icin_Guvenli_Varsayilanlar\"><span class=\"toc_number toc_depth_2\">4.2<\/span> CORS \u0130\u00e7in G\u00fcvenli Varsay\u0131lanlar<\/a><\/li><\/ul><\/li><li><a href=\"#Rate_Limiting_APIyi_Hem_Guvenli_Hem_Kullanilabilir_Tutmak\"><span class=\"toc_number toc_depth_1\">5<\/span> Rate Limiting: API\u2019yi Hem G\u00fcvenli Hem Kullan\u0131labilir Tutmak<\/a><ul><li><a href=\"#Temel_Tasarim_Kararlari_Neye_Gore_Limit\"><span class=\"toc_number toc_depth_2\">5.1<\/span> Temel Tasar\u0131m Kararlar\u0131: Neye G\u00f6re Limit?<\/a><\/li><li><a href=\"#Nginx_ve_Redis_ile_Rate_Limiting_Ornegi\"><span class=\"toc_number toc_depth_2\">5.2<\/span> Nginx ve Redis ile Rate Limiting \u00d6rne\u011fi<\/a><\/li><li><a href=\"#Rate_Limit_Yanitlari_ve_Gelistirici_Deneyimi\"><span class=\"toc_number toc_depth_2\">5.3<\/span> Rate Limit Yan\u0131tlar\u0131 ve Geli\u015ftirici Deneyimi<\/a><\/li><\/ul><\/li><li><a href=\"#WAF_Kurallari_OWASP_CRSten_Is_Kurallarina\"><span class=\"toc_number toc_depth_1\">6<\/span> WAF Kurallar\u0131: OWASP CRS\u2019ten \u0130\u015f Kurallar\u0131na<\/a><ul><li><a href=\"#Temel_WAF_Stratejisi\"><span class=\"toc_number toc_depth_2\">6.1<\/span> Temel WAF Stratejisi<\/a><\/li><li><a href=\"#API_Ozelinde_WAF_Kurallari\"><span class=\"toc_number toc_depth_2\">6.2<\/span> API \u00d6zelinde WAF Kurallar\u0131<\/a><\/li><\/ul><\/li><li><a href=\"#Loglama_Izleme_ve_Olay_Mudahalesi\"><span class=\"toc_number toc_depth_1\">7<\/span> Loglama, \u0130zleme ve Olay M\u00fcdahalesi<\/a><\/li><li><a href=\"#DCHost_Uzerinde_Ornek_API_Hosting_Mimarileri\"><span class=\"toc_number toc_depth_1\">8<\/span> DCHost \u00dczerinde \u00d6rnek API Hosting Mimarileri<\/a><ul><li><a href=\"#Senaryo_1_Kucuk_SaaS_veya_Mobil_Backend_icin_Tek_VPS_Mimarisi\"><span class=\"toc_number toc_depth_2\">8.1<\/span> Senaryo 1: K\u00fc\u00e7\u00fck SaaS veya Mobil Backend i\u00e7in Tek VPS Mimarisi<\/a><\/li><li><a href=\"#Senaryo_2_Orta_Olcekli_API_icin_WAF_CDN_Coklu_VPS\"><span class=\"toc_number toc_depth_2\">8.2<\/span> Senaryo 2: Orta \u00d6l\u00e7ekli API i\u00e7in WAF + CDN + \u00c7oklu VPS<\/a><\/li><\/ul><\/li><li><a href=\"#Ozet_ve_Yol_Haritasi_Nereden_Baslamali\"><span class=\"toc_number toc_depth_1\">9<\/span> \u00d6zet ve Yol Haritas\u0131: Nereden Ba\u015flamal\u0131?<\/a><\/li><\/ul><\/div>\n<h2><span id=\"API_Guvenligi_Icin_Dogru_Hosting_Mimarisi_Neden_Kritik\">API G\u00fcvenli\u011fi \u0130\u00e7in Do\u011fru Hosting Mimarisi Neden Kritik?<\/span><\/h2>\n<p>API geli\u015ftirmeye odaklanan ekiplerin \u00e7o\u011fu, ilk sprintlerde i\u015f kurallar\u0131na ve veritaban\u0131 modeline yo\u011funla\u015f\u0131r; g\u00fcvenlik ve hosting mimarisi genellikle \u201csonradan toparlar\u0131z\u201d klas\u00f6r\u00fcne at\u0131l\u0131r. Sahada g\u00f6rd\u00fc\u011f\u00fcm\u00fcz tablo ise tam tersini s\u00f6yl\u00fcyor: API g\u00fcvenli\u011fini tasarlarken hosting mimariniz, en az kodunuz kadar belirleyici. JWT ile kimlik do\u011frulama yapsan\u0131z da, CORS kurallar\u0131n\u0131 d\u00fczg\u00fcn yazsan\u0131z da, zay\u0131f bir a\u011f segmentasyonu, eksik rate limiting veya iyi ayarlanmam\u0131\u015f bir WAF, b\u00fct\u00fcn emeklerinizi bo\u015fa \u00e7\u0131karabiliyor.<\/p>\n<p>\u00d6zellikle SaaS, mobil backend ve \u00fc\u00e7\u00fcnc\u00fc taraf entegrasyonlar sunan projelerde API\u2019leriniz, \u015firket altyap\u0131n\u0131z\u0131n d\u0131\u015fa a\u00e7\u0131lan ana kap\u0131s\u0131 haline geliyor. Bu kap\u0131y\u0131 sadece uygulama kodunda de\u011fil; <strong>hosting mimarisi, a\u011f katman\u0131, ters proxy, WAF, rate limiting ve loglama<\/strong> seviyelerinde birlikte tasarlamak gerekiyor. DCHost olarak; onlarca API odakl\u0131 projede, tek <a href=\"https:\/\/www.dchost.com\/tr\/vps\">VPS<\/a> \u00fczerinde basit kurulumlardan \u00e7ok b\u00f6lgeli, WAF ve CDN katmanl\u0131 karma\u015f\u0131k yap\u0131lara kadar pek \u00e7ok mimariyi birlikte tasarlad\u0131k. Bu yaz\u0131da, sahada ger\u00e7ekten i\u015fe yarayan, pratik ve ad\u0131m ad\u0131m uygulanabilir bir rehber sunaca\u011f\u0131z: JWT tasar\u0131m\u0131ndan CORS mimarisine, Nginx tabanl\u0131 rate limiting\u2019den WAF kurallar\u0131n\u0131n ince ayar\u0131na kadar.<\/p>\n<p>Amac\u0131m\u0131z; geli\u015ftirme ekibinizin kolay adapte olabilece\u011fi, ayn\u0131 zamanda g\u00fcvenlik ve performans dengesini koruyan bir API hosting mimarisi kurman\u0131z i\u00e7in net bir yol haritas\u0131 b\u0131rakmak.<\/p>\n<h2><span id=\"Mimari_Temel_API_Sunucusu_Reverse_Proxy_WAF_ve_Ag_Segmentasyonu\">Mimari Temel: API Sunucusu, Reverse Proxy, WAF ve A\u011f Segmentasyonu<\/span><\/h2>\n<p>Sa\u011flam bir API g\u00fcvenli\u011fi i\u00e7in \u00f6nce hosting taraf\u0131ndaki katmanlar\u0131 netle\u015ftirmek gerekir. Basit bir projede bile minimum \u015fu bile\u015fenleri ay\u0131rman\u0131z\u0131 \u00f6neriyoruz:<\/p>\n<ul>\n<li>\u0130nternet katman\u0131 (kullan\u0131c\u0131lar\u0131n geldi\u011fi d\u0131\u015f a\u011f)<\/li>\n<li>Reverse proxy \/ API gateway katman\u0131 (Nginx, HAProxy vb.)<\/li>\n<li>Uygulama katman\u0131 (Node.js, Laravel, .NET API sunucular\u0131)<\/li>\n<li>Veritaban\u0131 ve cache (MySQL\/PostgreSQL, Redis vb.)<\/li>\n<li>Opsiyonel WAF ve CDN katman\u0131<\/li>\n<\/ul>\n<p>Bu katmanlar\u0131n <strong>ayn\u0131 VPS\u2019te<\/strong> olup olmamas\u0131 projenizin \u00f6l\u00e7e\u011fine ba\u011fl\u0131, ancak mant\u0131ksal ayr\u0131m\u0131 mimari tasar\u0131m a\u015famas\u0131nda netle\u015ftirmek \u00f6nemli. K\u00fc\u00e7\u00fck projelerde dahi, en az\u0131ndan:<\/p>\n<ul>\n<li>Nginx\u2019i <strong>reverse proxy<\/strong> katman\u0131 olarak konumland\u0131rmak,<\/li>\n<li>Uygulamay\u0131 ayr\u0131 bir portta (\u00f6r. 127.0.0.1:3000) \u00e7al\u0131\u015ft\u0131rmak,<\/li>\n<li>Veritaban\u0131n\u0131 d\u0131\u015f d\u00fcnyaya de\u011fil, sadece yerel a\u011f veya private network \u00fczerinden a\u00e7mak<\/li>\n<\/ul>\n<p>gibi basit ad\u0131mlar bile sald\u0131r\u0131 y\u00fczeyini ciddi \u015fekilde daralt\u0131r.<\/p>\n<p>A\u011f eri\u015fimi taraf\u0131nda ise <a href=\"https:\/\/www.dchost.com\/blog\/zero-trust-ile-hosting-ve-sunucu-erisimini-guvenceye-almak\/\">Zero Trust yakla\u015f\u0131m\u0131n\u0131 hosting ve sunucu eri\u015fiminde nas\u0131l uygulayabilece\u011finizi anlatt\u0131\u011f\u0131m\u0131z rehberde<\/a> detayland\u0131rd\u0131\u011f\u0131m\u0131z prensipleri API mimarisine de ta\u015f\u0131man\u0131z gerekir: her iste\u011fi kan\u0131tlanana kadar \u015f\u00fcpheli kabul etmek, sunucular aras\u0131 trafi\u011fi bile m\u00fcmk\u00fcn oldu\u011funca yetkilendirmek ve loglamak.<\/p>\n<h3><span id=\"TLS_Zorunlulugu_ve_HTTP_Guvenlik_Basliklari\">TLS Zorunlulu\u011fu ve HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u0131<\/span><\/h3>\n<p>API\u2019ler i\u00e7in <strong>her zaman HTTPS<\/strong> zorunlu olmal\u0131; sadece d\u0131\u015f kullan\u0131c\u0131lar i\u00e7in de\u011fil, mobil uygulamalar, \u00fc\u00e7\u00fcnc\u00fc taraf entegrasyonlar ve hatta dahili paneller i\u00e7in de. TLS 1.2 alt\u0131 protokolleri kapatmak ve modern \u015fifre paketlerini etkinle\u015ftirmek, art\u0131k l\u00fcks de\u011fil asgari gereklilik. \u00dczerine bir de do\u011fru HTTP ba\u015fl\u0131klar\u0131n\u0131 ekledi\u011finizde (HSTS, X-Content-Type-Options, Referrer-Policy, X-Frame-Options vb.) sald\u0131r\u0131 y\u00fczeyiniz daha da daral\u0131r.<\/p>\n<p>Bu ba\u015fl\u0131klar\u0131n API\u2019ler i\u00e7in nas\u0131l uygulanaca\u011f\u0131, hangi ortamda hangi seviyede s\u0131k\u0131la\u015ft\u0131rma yapman\u0131z gerekti\u011fi konusunda detayl\u0131 bilgi i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/http-guvenlik-basliklari-rehberi-hsts-csp-ve-digerlerini-ne-zaman-nasil-uygulamalisin\/\">HTTP g\u00fcvenlik ba\u015fl\u0131klar\u0131 rehberimizi<\/a> mutlaka g\u00f6zden ge\u00e7irmenizi \u00f6neririz.<\/p>\n<h2><span id=\"Kimlik_Dogrulama_ve_Yetkilendirme_Katmani_JWT_Tasarimini_Dogru_Kurmak\">Kimlik Do\u011frulama ve Yetkilendirme Katman\u0131: JWT Tasar\u0131m\u0131n\u0131 Do\u011fru Kurmak<\/span><\/h2>\n<p>API g\u00fcvenli\u011finde JWT, \u00e7o\u011fu ekibin ilk tercih etti\u011fi mekanizma. Ancak sahada g\u00f6rd\u00fc\u011f\u00fcm\u00fcz en yayg\u0131n problemler, JWT\u2019nin <strong>nas\u0131l imzaland\u0131\u011f\u0131, nerede sakland\u0131\u011f\u0131 ve hangi \u00f6znitelikleri ta\u015f\u0131d\u0131\u011f\u0131<\/strong> ile ilgili. Hosting mimarisini tasarlarken JWT stratejinizi de birlikte ele almal\u0131s\u0131n\u0131z.<\/p>\n<h3><span id=\"JWT_Yapisi_Hangi_Alanlar_Hangi_Sureler\">JWT Yap\u0131s\u0131: Hangi Alanlar, Hangi S\u00fcreler?<\/span><\/h3>\n<p>Tipik bir access token\u2019da en az\u0131ndan \u015fu claim\u2019lerin net tasarlanmas\u0131 gerekir:<\/p>\n<ul>\n<li><strong>sub<\/strong>: Kullan\u0131c\u0131 ID\u2019si (m\u00fcmk\u00fcnse dahili, tahmin edilemez bir kimlik)<\/li>\n<li><strong>iss<\/strong>: Token\u2019\u0131 \u00fcreten servis veya domain<\/li>\n<li><strong>aud<\/strong>: Hedef API veya servis ad\u0131 (multi-tenant mimarilerde kritik)<\/li>\n<li><strong>exp<\/strong>: Biti\u015f zaman\u0131 (k\u0131sa tutulmal\u0131; 5\u201330 dakika pratik bir aral\u0131k)<\/li>\n<li><strong>iat<\/strong>: Olu\u015fturulma zaman\u0131<\/li>\n<li>Roller veya yetki k\u00fcmeleri (role, scope vb.)<\/li>\n<\/ul>\n<p>Hosting mimarisi taraf\u0131nda, bu claim\u2019leri <strong>reverse proxy katman\u0131nda do\u011frulamak<\/strong> b\u00fcy\u00fck avantaj sa\u011flar. \u00d6rne\u011fin Nginx veya bir API gateway ile:<\/p>\n<ul>\n<li>Token\u2019\u0131n imzas\u0131n\u0131 ve s\u00fcresini kontrol edip,<\/li>\n<li>Bloke edilmi\u015f veya iptal edilmi\u015f kullan\u0131c\u0131lar i\u00e7in merkezi bir <strong>deny list<\/strong> mekanizmas\u0131 kurup,<\/li>\n<li>Uygulama katman\u0131na gereksiz iste\u011fi hi\u00e7 iletmeden 401\/403 d\u00f6nebilirsiniz.<\/li>\n<\/ul>\n<h3><span id=\"Access_Token_Refresh_Token_Ayrimi\">Access Token \u2013 Refresh Token Ayr\u0131m\u0131<\/span><\/h3>\n<p>G\u00fcvenli bir mimari i\u00e7in access ve refresh token\u2019lar\u0131 net ay\u0131rmak gerekir:<\/p>\n<ul>\n<li><strong>Access token<\/strong>: K\u0131sa \u00f6m\u00fcrl\u00fc, API \u00e7a\u011fr\u0131lar\u0131nda kullan\u0131lan, her iste\u011fe g\u00f6nderilen token.<\/li>\n<li><strong>Refresh token<\/strong>: \u00c7ok daha uzun \u00f6m\u00fcrl\u00fc, sadece yeni access token almak i\u00e7in kullan\u0131lan, s\u0131k \u00e7a\u011fr\u0131lmayan token.<\/li>\n<\/ul>\n<p>Hosting taraf\u0131nda \u00f6nerdi\u011fimiz yakla\u015f\u0131m:<\/p>\n<ul>\n<li>Access token\u2019lar\u0131 \u00e7o\u011funlukla <strong>Authorization: Bearer<\/strong> ba\u015fl\u0131\u011f\u0131nda ta\u015f\u0131mak,<\/li>\n<li>Refresh token\u2019\u0131 ise <strong>HttpOnly, Secure, SameSite<\/strong> \u00f6zellikli bir cookie i\u00e7inde saklamak,<\/li>\n<li>Refresh endpoint\u2019i i\u00e7in <strong>ayr\u0131 rate limiting ve WAF kurallar\u0131<\/strong> tan\u0131mlamak (a\u015fa\u011f\u0131da detayland\u0131raca\u011f\u0131z).<\/li>\n<\/ul>\n<p>B\u00f6ylece access token s\u0131zsa bile s\u00fcresi k\u0131sa oldu\u011fu i\u00e7in zarar\u0131 s\u0131n\u0131rl\u0131 olur; refresh token ise taray\u0131c\u0131 JavaScript\u2019inden eri\u015filemedi\u011fi i\u00e7in XSS riskini azalt\u0131rs\u0131n\u0131z.<\/p>\n<h3><span id=\"JWT_Anahtar_Yonetimi_ve_Rotasyon\">JWT Anahtar Y\u00f6netimi ve Rotasyon<\/span><\/h3>\n<p>JWT\u2019yi imzalayan gizli anahtar(lar), \u00e7o\u011fu zaman en zay\u0131f halka. S\u0131k yapt\u0131\u011f\u0131m\u0131z denetimlerde \u015funlara \u00e7ok s\u0131k rastl\u0131yoruz:<\/p>\n<ul>\n<li>Anahtar\u0131n kodun i\u00e7ine g\u00f6m\u00fclmesi<\/li>\n<li>Repository\u2019ye push edilmi\u015f .env dosyalar\u0131<\/li>\n<li>\u00dcretim ve test ortam\u0131nda ayn\u0131 imzalama anahtar\u0131n\u0131n kullan\u0131lmas\u0131<\/li>\n<\/ul>\n<p>DCHost \u00fczerindeki VPS veya <a href=\"https:\/\/www.dchost.com\/tr\/fiziksel-sunucu\">dedicated sunucu<\/a>lar\u0131n\u0131zda, JWT imza anahtarlar\u0131n\u0131 <strong>ayr\u0131 bir secrets mekanizmas\u0131nda<\/strong> (\u00f6rne\u011fin sadece root\u2019un okuyabildi\u011fi dosyalar, \u015fifreli vault \u00e7\u00f6z\u00fcmleri veya environment de\u011fi\u015fkenlerini CI\/CD ile enjekte ederek) tutman\u0131z\u0131 \u00f6neriyoruz. Anahtar rotasyonunu planlarken:<\/p>\n<ul>\n<li>Anahtarlara <strong>key id (kid)<\/strong> atay\u0131n,<\/li>\n<li>Yeni anahtar\u0131 \u00fcretip do\u011frulay\u0131c\u0131 taraf\u0131n\u0131 \u00f6nce g\u00fcncelleyin,<\/li>\n<li>Bir s\u00fcre hem eski hem yeni anahtarla imzalanm\u0131\u015f token\u2019lar\u0131 do\u011frulay\u0131n,<\/li>\n<li>Ge\u00e7i\u015f s\u00fcresi sonunda eskisini devre d\u0131\u015f\u0131 b\u0131rak\u0131n.<\/li>\n<\/ul>\n<h2><span id=\"CORS_Mimarisi_Frontend_API_ve_Domain_Stratejisi\">CORS Mimarisi: Frontend, API ve Domain Stratejisi<\/span><\/h2>\n<p>CORS, bir\u00e7ok ekip i\u00e7in \u201ctaray\u0131c\u0131dan gelen can s\u0131k\u0131c\u0131 hata\u201d gibi g\u00f6r\u00fcnse de, asl\u0131nda <strong>frontend \u2013 API \u2013 domain mimarisini \u015fekillendiren<\/strong> \u00f6nemli bir g\u00fcvenlik katman\u0131. \u00d6zellikle SPA (React, Vue, Angular) + ayr\u0131 API backend modelinde, CORS stratejisini en ba\u015fta do\u011fru kurdu\u011funuzda, hem g\u00fcvenlik hem de geli\u015ftirici deneyimi taraf\u0131nda rahat edersiniz.<\/p>\n<h3><span id=\"Domain_ve_Origin_Stratejisi\">Domain ve Origin Stratejisi<\/span><\/h3>\n<p>En sorunsuz senaryo, frontend ve API\u2019nin <strong>ayn\u0131 k\u00f6k alan ad\u0131nda<\/strong> veya en az\u0131ndan tahmin edilebilir bir pattern ile bar\u0131nmas\u0131d\u0131r. \u00d6rne\u011fin:<\/p>\n<ul>\n<li>Frontend: <code>app.ornek.com<\/code><\/li>\n<li>API: <code>api.ornek.com<\/code><\/li>\n<\/ul>\n<p>Bu t\u00fcr senaryolarda, Nginx veya API gateway \u00fczerinden <strong>yaln\u0131zca belirli subdomain\u2019leri<\/strong> CORS <code>Access-Control-Allow-Origin<\/code> ba\u015fl\u0131\u011f\u0131na ekleyebilir, wildcard (<code>*<\/code>) kullan\u0131m\u0131ndan ka\u00e7\u0131nabilirsiniz. \u00c7ok domain\u2019li, \u00e7ok dilli veya white-label SaaS senaryolar\u0131nda ise, izin verilen origin listesini <strong>veritaban\u0131ndan veya yap\u0131land\u0131rma dosyas\u0131ndan dinamik \u00fcreten<\/strong> bir katman kullanmak daha sa\u011fl\u0131kl\u0131 olur.<\/p>\n<p>Frontend ve API\u2019yi ayn\u0131 alan ad\u0131nda host etmek, SSL ve y\u00f6nlendirme taraf\u0131nda nas\u0131l bir mimari gerektiriyor merak ediyorsan\u0131z, <a href=\"https:\/\/www.dchost.com\/blog\/react-vue-ve-angular-single-page-applicationlari-ayni-alan-adinda-api-ile-host-etmek-nginx-yonlendirme-ve-ssl-mimarisi\/\">SPA + API\u2019yi ayn\u0131 alan ad\u0131nda bar\u0131nd\u0131rmaya y\u00f6nelik detayl\u0131 Nginx ve SSL rehberimizi<\/a> inceleyebilirsiniz.<\/p>\n<h3><span id=\"CORS_Icin_Guvenli_Varsayilanlar\">CORS \u0130\u00e7in G\u00fcvenli Varsay\u0131lanlar<\/span><\/h3>\n<p>Hosting taraf\u0131nda CORS kurallar\u0131n\u0131 Nginx veya bir API gateway \u00fczerinde uygularken \u015fu prensipleri \u00f6neriyoruz:<\/p>\n<ul>\n<li><strong>Allow-Origin<\/strong>: Sadece ger\u00e7ekten ihtiya\u00e7 duyulan origin\u2019leri (production, staging vb.) a\u00e7\u0131k\u00e7a listeleyin.<\/li>\n<li><strong>Allow-Methods<\/strong>: Sadece kulland\u0131\u011f\u0131n\u0131z HTTP metodlar\u0131n\u0131 (GET, POST, PUT, DELETE&#8230;) izin verin, OPTIONS otomatik gelecektir.<\/li>\n<li><strong>Allow-Headers<\/strong>: <code>Content-Type<\/code>, <code>Authorization<\/code> gibi ger\u00e7ekten gerekli ba\u015fl\u0131klarla s\u0131n\u0131rl\u0131 tutun.<\/li>\n<li><strong>Allow-Credentials<\/strong>: Sadece cookie veya HTTP auth bilgisi ta\u015f\u0131mak zorundaysan\u0131z <code>true<\/code> yap\u0131n; aksi halde <code>false<\/code> b\u0131rak\u0131n.<\/li>\n<li><strong>Max-Age<\/strong>: Preflight istek say\u0131s\u0131n\u0131 azaltmak i\u00e7in, makul bir s\u00fcre (\u00f6rne\u011fin 3600 sn) tan\u0131mlay\u0131n.<\/li>\n<\/ul>\n<p>Bu ba\u015fl\u0131klar\u0131n hepsini Nginx seviyesinde set etmek; uygulama kodunuzu sadele\u015ftirir ve farkl\u0131 dil\/\u00e7er\u00e7eve kombinasyonlar\u0131nda tutarl\u0131l\u0131k sa\u011flar. Ayn\u0131 zamanda WAF ve rate limiting kurallar\u0131yla birlikte daha deterministik bir davran\u0131\u015f elde edersiniz.<\/p>\n<h2><span id=\"Rate_Limiting_APIyi_Hem_Guvenli_Hem_Kullanilabilir_Tutmak\">Rate Limiting: API\u2019yi Hem G\u00fcvenli Hem Kullan\u0131labilir Tutmak<\/span><\/h2>\n<p>Rate limiting, yaln\u0131zca DDoS veya brute-force sald\u0131r\u0131lar\u0131n\u0131 engellemek i\u00e7in de\u011fil, ayn\u0131 zamanda SaaS projelerinizde <strong>m\u00fc\u015fteri ba\u015f\u0131na adil kaynak kullan\u0131m\u0131<\/strong> sa\u011flamak i\u00e7in de kritik. \u0130yi tasarlanmam\u0131\u015f limitler, bir yandan sald\u0131rganlar\u0131 engellerken, di\u011fer yandan ger\u00e7ek kullan\u0131c\u0131lar\u0131 da haks\u0131z yere bloklayabilir.<\/p>\n<h3><span id=\"Temel_Tasarim_Kararlari_Neye_Gore_Limit\">Temel Tasar\u0131m Kararlar\u0131: Neye G\u00f6re Limit?<\/span><\/h3>\n<p>\u00d6nce \u201cneyi s\u0131n\u0131rlayaca\u011f\u0131n\u0131z\u0131\u201d netle\u015ftirin. En yayg\u0131n pattern\u2019ler:<\/p>\n<ul>\n<li><strong>IP bazl\u0131 limit<\/strong>: Basit ve ilk savunma hatt\u0131 i\u00e7in ideal, ancak NAT arkas\u0131ndaki \u00e7oklu kullan\u0131c\u0131 senaryolar\u0131nda sorun yaratabilir.<\/li>\n<li><strong>Kullan\u0131c\u0131 ID \/ API key bazl\u0131 limit<\/strong>: SaaS projelerinde en sa\u011fl\u0131kl\u0131 yakla\u015f\u0131m; IP de\u011fi\u015fse bile kullan\u0131c\u0131 ba\u015f\u0131na limit kontrol\u00fc sa\u011flan\u0131r.<\/li>\n<li><strong>Endpoint bazl\u0131 limit<\/strong>: \u00d6zellikle login, password reset, token refresh, kritik rapor gibi a\u011f\u0131r veya hassas endpoint\u2019ler i\u00e7in ayr\u0131 limitler gerekir.<\/li>\n<\/ul>\n<p>\u00d6rnek bir mimari yakla\u015f\u0131m:<\/p>\n<ul>\n<li>Genel API trafi\u011fi i\u00e7in IP + kullan\u0131c\u0131 bazl\u0131 global limit (\u00f6r. 1000 istek \/ 5 dakika),<\/li>\n<li><code>\/auth\/login<\/code>, <code>\/auth\/refresh<\/code>, <code>\/password\/reset<\/code> gibi endpoint\u2019ler i\u00e7in \u00e7ok daha s\u0131k\u0131 limit (\u00f6r. 5\u201310 istek \/ dakika),<\/li>\n<li>Raporlama veya a\u011f\u0131r sorgular i\u00e7in (\u00f6r. <code>\/reports\/*<\/code>) ayr\u0131, daha d\u00fc\u015f\u00fck limitler.<\/li>\n<\/ul>\n<h3><span id=\"Nginx_ve_Redis_ile_Rate_Limiting_Ornegi\">Nginx ve Redis ile Rate Limiting \u00d6rne\u011fi<\/span><\/h3>\n<p>DCHost VPS veya dedicated sunucular\u0131n\u0131zda pratik bir \u00e7\u00f6z\u00fcm, Nginx\u2019in <code>limit_req<\/code> direktiflerini kullanmak. K\u00fc\u00e7\u00fck ve orta \u00f6l\u00e7ekli projelerde Nginx\u2019in in-memory limitleri genellikle yeterli olur; daha geli\u015fmi\u015f senaryolarda Redis tabanl\u0131 bir saya\u00e7 mekanizmas\u0131yla birle\u015fik kullanabilirsiniz.<\/p>\n<p>Rate limiting konusunu, farkl\u0131 pencereler (fixed window, sliding window), burst tan\u0131mlar\u0131 ve Nginx + Redis \u00f6rnekleriyle ayr\u0131nt\u0131l\u0131 inceledi\u011fimiz <a href=\"https:\/\/www.dchost.com\/blog\/api-ve-mikroservisler-icin-rate-limiting-stratejileri-nginx-cloudflare-ve-redis-ile-trafik-kontrolu\/\">API ve mikroservisler i\u00e7in rate limiting stratejileri rehberimize<\/a> g\u00f6z atarak daha derin bir mimari tasarlayabilirsiniz.<\/p>\n<h3><span id=\"Rate_Limit_Yanitlari_ve_Gelistirici_Deneyimi\">Rate Limit Yan\u0131tlar\u0131 ve Geli\u015ftirici Deneyimi<\/span><\/h3>\n<p>Rate limiting sadece g\u00fcvenlik de\u011fil, ayn\u0131 zamanda <strong>API tasar\u0131m\u0131n\u0131n bir par\u00e7as\u0131<\/strong>. \u0130yi bir deneyim i\u00e7in:<\/p>\n<ul>\n<li>Limit a\u015f\u0131ld\u0131\u011f\u0131nda her zaman <strong>429 Too Many Requests<\/strong> d\u00f6nd\u00fcr\u00fcn,<\/li>\n<li>Yan\u0131tta <code>Retry-After<\/code> ba\u015fl\u0131\u011f\u0131yla, ne kadar s\u00fcre sonra tekrar denenebilece\u011fini belirtin,<\/li>\n<li>Dok\u00fcmantasyonda, kullan\u0131c\u0131 veya plan ba\u015f\u0131na limitleri a\u00e7\u0131k\u00e7a yaz\u0131n.<\/li>\n<\/ul>\n<p>Bunlar\u0131n hepsi reverse proxy \/ API gateway katman\u0131nda uygulanabilir. B\u00f6ylece uygulama kodu, limit ihlallerini hi\u00e7 g\u00f6rmeden, sadece ger\u00e7ekten i\u015f mant\u0131\u011f\u0131yla ilgili isteklerle ilgilenir.<\/p>\n<h2><span id=\"WAF_Kurallari_OWASP_CRSten_Is_Kurallarina\">WAF Kurallar\u0131: OWASP CRS\u2019ten \u0130\u015f Kurallar\u0131na<\/span><\/h2>\n<p>Web Application Firewall (WAF), do\u011fru kurguland\u0131\u011f\u0131nda API\u2019ler i\u00e7in adeta <strong>ikinci bir g\u00fcvenlik ekibi<\/strong> gibi \u00e7al\u0131\u015f\u0131r. Yanl\u0131\u015f kurguland\u0131\u011f\u0131nda ise saatlerce neden 403 ald\u0131\u011f\u0131n\u0131z\u0131 anlamaya \u00e7al\u0131\u015ft\u0131\u011f\u0131n\u0131z bir ba\u015f a\u011fr\u0131s\u0131na d\u00f6n\u00fc\u015febilir. Buradaki kritik nokta: WAF\u2019i \u201cher \u015feyi yasaklayan duvar\u201d yerine, \u201ciyi tan\u0131mlanm\u0131\u015f kurallarla \u00e7al\u0131\u015fan, g\u00f6zlemci ve koruyucu bir katman\u201d haline getirmek.<\/p>\n<h3><span id=\"Temel_WAF_Stratejisi\">Temel WAF Stratejisi<\/span><\/h3>\n<p>API\u2019ler i\u00e7in WAF kurarken a\u015fa\u011f\u0131daki yolu \u00f6neriyoruz:<\/p>\n<ol>\n<li><strong>\u00d6nce g\u00f6zlem modunda \u00e7al\u0131\u015ft\u0131r\u0131n<\/strong> (detect\/learning mode). Hangi kurallar s\u0131k tetikleniyor, hangileri yanl\u0131\u015f pozitif \u00fcretiyor g\u00f6r\u00fcn.<\/li>\n<li><strong>Yanl\u0131\u015f pozitifleri beyaz listeleyin<\/strong>: \u00d6zellikle JSON body\u2019lerinde, arama alanlar\u0131nda veya esnek filtrelerde OWASP CRS s\u0131k tetiklenebilir.<\/li>\n<li><strong>Login, token refresh, y\u00f6netim panelleri<\/strong> gibi kritik endpoint\u2019ler i\u00e7in daha s\u0131k\u0131 kurallar uygulay\u0131n.<\/li>\n<li><strong>Rate limiting ile entegre d\u00fc\u015f\u00fcn\u00fcn<\/strong>: Ayn\u0131 IP veya kullan\u0131c\u0131dan gelen \u015f\u00fcpheli pattern\u2019leri WAF + rate limit birle\u015fimiyle daha agresif engelleyebilirsiniz.<\/li>\n<\/ol>\n<p>Cloud tabanl\u0131 WAF \u00e7\u00f6z\u00fcmleri veya ModSecurity + OWASP CRS ikilisiyle neler yap\u0131labilece\u011fini, hangi durumlarda hangi yakla\u015f\u0131m\u0131n mant\u0131kl\u0131 oldu\u011funu <a href=\"https:\/\/www.dchost.com\/blog\/web-uygulama-guvenlik-duvari-waf-nedir-cloudflare-waf-ve-modsecurity-ile-web-sitesi-koruma-rehberi\/\">WAF rehberimizde detayl\u0131ca ele alm\u0131\u015ft\u0131k<\/a>. API\u2019ler i\u00e7in de ayn\u0131 prensipler ge\u00e7erli, sadece body ve header yap\u0131lar\u0131n\u0131z daha \u00f6ng\u00f6r\u00fclebilir oldu\u011fu i\u00e7in kurallar\u0131 daha rahat s\u0131k\u0131la\u015ft\u0131rabiliyorsunuz.<\/p>\n<h3><span id=\"API_Ozelinde_WAF_Kurallari\">API \u00d6zelinde WAF Kurallar\u0131<\/span><\/h3>\n<p>API trafi\u011fi genellikle JSON ve belirli endpoint pattern\u2019lerinden olu\u015ftu\u011fu i\u00e7in WAF taraf\u0131nda \u015fu t\u00fcr \u00f6zelle\u015ftirmeler yapabilirsiniz:<\/p>\n<ul>\n<li>Sadece <strong>application\/json<\/strong> i\u00e7erik tipine izin verip, di\u011ferlerini engellemek,<\/li>\n<li>Belirli parametreler i\u00e7in (\u00f6r. <code>page<\/code>, <code>limit<\/code>, <code>id<\/code>) regex tabanl\u0131 do\u011frulamalar yapmak,<\/li>\n<li>GraphQL gibi tek endpoint \u00fczerinden gelen karma\u015f\u0131k sorgular i\u00e7in ayr\u0131 kurallar tan\u0131mlamak,<\/li>\n<li>Belirli IP bloklar\u0131ndan gelen y\u00f6netim veya dahili API \u00e7a\u011fr\u0131lar\u0131n\u0131 daha serbest b\u0131rakmak.<\/li>\n<\/ul>\n<p>Bunlar\u0131 do\u011frudan hosting taraf\u0131ndaki WAF katman\u0131nda uygulad\u0131\u011f\u0131n\u0131zda, uygulama kodunuz hem daha sade kal\u0131r hem de sald\u0131r\u0131 tespiti daha merkezi hale gelir.<\/p>\n<h2><span id=\"Loglama_Izleme_ve_Olay_Mudahalesi\">Loglama, \u0130zleme ve Olay M\u00fcdahalesi<\/span><\/h2>\n<p>JWT, CORS, rate limiting ve WAF kurallar\u0131n\u0131 ne kadar iyi kurarsan\u0131z kurun, <strong>loglamadan ve izleme olmadan<\/strong> sald\u0131r\u0131 denemelerini, yava\u015f yava\u015f artan anomali trafi\u011fini veya yanl\u0131\u015f pozitifleri fark etmeniz zordur. Sa\u011flam bir API hosting mimarisinde \u015fu katmanlarda log toplaman\u0131z\u0131 \u00f6neriyoruz:<\/p>\n<ul>\n<li>Reverse proxy \/ API gateway loglar\u0131 (Nginx access\/error loglar\u0131)<\/li>\n<li>Uygulama loglar\u0131 (yetkilendirme hatalar\u0131, i\u015f kural\u0131 ihlalleri)<\/li>\n<li>WAF loglar\u0131 (engellenen istekler, kurala g\u00f6re gruplanm\u0131\u015f)<\/li>\n<li>Veritaban\u0131 loglar\u0131 (yava\u015f sorgular, ba\u011flant\u0131 hatalar\u0131)<\/li>\n<\/ul>\n<p>Bu loglar\u0131 tek bir yerde toplay\u0131p, arama ve alarm kurallar\u0131 tan\u0131mlad\u0131\u011f\u0131n\u0131zda, olas\u0131 bir sald\u0131r\u0131 veya konfig\u00fcrasyon hatas\u0131n\u0131n etkisini dakikalar i\u00e7inde g\u00f6rebilirsiniz. DCHost altyap\u0131s\u0131 \u00fczerinde merkezi loglama i\u00e7in ELK veya Grafana Loki gibi \u00e7\u00f6z\u00fcmler s\u0131k\u00e7a tercih ediliyor; bunlar\u0131n pratik kurulum ad\u0131mlar\u0131n\u0131 <a href=\"https:\/\/www.dchost.com\/blog\/vps-log-yonetimi-nasil-rayina-oturur-grafana-loki-promtail-ile-merkezi-loglama-tutma-sureleri-ve-alarm-kurallari\/\">VPS log y\u00f6netimi rehberimizde<\/a> detayland\u0131rm\u0131\u015ft\u0131k.<\/p>\n<p>Loglar\u0131n \u00fczerine oturacak bir <strong>izleme ve alarm katman\u0131<\/strong> ise i\u015fin son halkas\u0131. CPU, RAM, disk IO, a\u011f trafi\u011fi gibi metriklerin yan\u0131 s\u0131ra; 401\/403\/429 oranlar\u0131ndaki ani art\u0131\u015flar\u0131 da alarm kriteri haline getirdi\u011finizde, API g\u00fcvenli\u011fi operasyonel olarak da s\u00fcrd\u00fcr\u00fclebilir olur. Bu mimariyi ad\u0131m ad\u0131m nas\u0131l kurgulayabilece\u011finizi g\u00f6rmek i\u00e7in <a href=\"https:\/\/www.dchost.com\/blog\/merkezi-sunucu-izleme-ve-alarm-mimarisi\/\">merkezi sunucu izleme ve alarm mimarisi yaz\u0131m\u0131za<\/a> g\u00f6z atabilirsiniz.<\/p>\n<h2><span id=\"DCHost_Uzerinde_Ornek_API_Hosting_Mimarileri\">DCHost \u00dczerinde \u00d6rnek API Hosting Mimarileri<\/span><\/h2>\n<p>Teoriyi somutla\u015ft\u0131rmak i\u00e7in, DCHost \u00fczerinde s\u0131k g\u00f6rd\u00fc\u011f\u00fcm\u00fcz iki tip API mimarisini basitle\u015ftirilmi\u015f haliyle \u00f6zetleyelim.<\/p>\n<h3><span id=\"Senaryo_1_Kucuk_SaaS_veya_Mobil_Backend_icin_Tek_VPS_Mimarisi\">Senaryo 1: K\u00fc\u00e7\u00fck SaaS veya Mobil Backend i\u00e7in Tek VPS Mimarisi<\/span><\/h3>\n<p>Ba\u015flang\u0131\u00e7 veya erken a\u015famadaki projelerde \u00e7o\u011fu zaman <strong>iyi yap\u0131land\u0131r\u0131lm\u0131\u015f tek bir VPS<\/strong> yeterli oluyor. Bu senaryoda \u00f6nerdi\u011fimiz yap\u0131:<\/p>\n<ul>\n<li>Nginx: 80\/443 portunda reverse proxy, CORS ve temel rate limiting burada.<\/li>\n<li>WAF: Nginx ile entegre ModSecurity + OWASP CRS, g\u00f6zlem modundan yava\u015f yava\u015f engelleme moduna ge\u00e7i\u015f.<\/li>\n<li>Uygulama: Node.js \/ PHP (Laravel) API servisi 127.0.0.1 \u00fczerinde farkl\u0131 portta.<\/li>\n<li>Veritaban\u0131 ve Redis: Ayn\u0131 VPS \u00fczerinde ama d\u0131\u015f IP\u2019ye kapal\u0131, sadece localhost veya private interface \u00fczerinden eri\u015fim.<\/li>\n<li>JWT anahtarlar\u0131: \/etc alt\u0131nda sadece uygulama kullan\u0131c\u0131s\u0131n\u0131n okuyabildi\u011fi bir dizinde, CI\/CD ile da\u011f\u0131t\u0131lan secrets.<\/li>\n<\/ul>\n<p>Bu yap\u0131; ba\u015flang\u0131\u00e7 maliyetlerini d\u00fc\u015f\u00fck tutarken, b\u00fcy\u00fcme a\u015famas\u0131nda <strong>uygulama ve veritaban\u0131n\u0131 ayr\u0131 VPS\u2019lere<\/strong> ta\u015f\u0131maya elveri\u015fli bir temel sa\u011flar. DCHost olarak m\u00fc\u015fterilerimizin \u00f6nemli bir k\u0131sm\u0131, bu mimariden ba\u015flay\u0131p, y\u00fck artt\u0131k\u00e7a sadece veritaban\u0131n\u0131 veya cache katman\u0131n\u0131 ay\u0131rarak sorunsuz \u015fekilde \u00f6l\u00e7ekleniyor.<\/p>\n<h3><span id=\"Senaryo_2_Orta_Olcekli_API_icin_WAF_CDN_Coklu_VPS\">Senaryo 2: Orta \u00d6l\u00e7ekli API i\u00e7in WAF + CDN + \u00c7oklu VPS<\/span><\/h3>\n<p>API trafi\u011finiz artt\u0131k\u00e7a veya g\u00fcvenlik gereksinimleriniz s\u0131k\u0131la\u015ft\u0131k\u00e7a, mimariyi birka\u00e7 katman daha geni\u015fletmek mant\u0131kl\u0131 hale geliyor:<\/p>\n<ul>\n<li>\u00d6n katmanda CDN + WAF: Statik i\u00e7erik cache\u2019i, temel DDoS korumas\u0131, IP reputasyon filtreleri.<\/li>\n<li>Arka planda DCHost \u00fczerinde bir veya birden fazla <strong>API VPS k\u00fcmesi<\/strong>: Nginx + uygulama katman\u0131.<\/li>\n<li>Veritaban\u0131 VPS\u2019i: API sunucular\u0131ndan ayr\u0131, g\u00fcvenlik duvar\u0131yla sadece belirli IP\u2019lere a\u00e7\u0131k, gerekti\u011finde replikasyonla \u00f6l\u00e7eklenebilir.<\/li>\n<li>Rate limiting: Hem CDN\/WAF katman\u0131nda, hem de Nginx \u00fczerinde, kritik endpoint\u2019ler i\u00e7in \u00e7ift katmanl\u0131.<\/li>\n<li>Loglama: API katman\u0131, WAF ve veritaban\u0131 loglar\u0131 tek bir merkezi log sisteminde toplan\u0131yor.<\/li>\n<\/ul>\n<p>B\u00f6yle bir mimaride, bak\u0131m ve g\u00fcncelleme s\u00fcre\u00e7lerini kolayla\u015ft\u0131rmak i\u00e7in staging ortam\u0131 kurmak da \u00f6nem kazan\u0131yor. API kodu ve ayarlar\u0131n\u0131 \u00f6nce staging\u2019e al\u0131p, JWT, CORS, rate limiting ve WAF kurallar\u0131n\u0131 burada test ettikten sonra canl\u0131ya ge\u00e7irmek, s\u00fcrpriz kesintileri ciddi \u015fekilde azalt\u0131yor.<\/p>\n<h2><span id=\"Ozet_ve_Yol_Haritasi_Nereden_Baslamali\">\u00d6zet ve Yol Haritas\u0131: Nereden Ba\u015flamal\u0131?<\/span><\/h2>\n<p>API g\u00fcvenli\u011fi; tek bir teknolojinin, tek bir ayar\u0131n \u00e7\u00f6zece\u011fi bir konu de\u011fil. JWT, CORS, rate limiting ve WAF, ancak do\u011fru bir hosting mimarisi i\u00e7inde birlikte tasarland\u0131\u011f\u0131nda ger\u00e7ekten i\u015fe yar\u0131yor. K\u0131sa bir \u00f6zetle:<\/p>\n<ul>\n<li>\u00d6nce mimari katmanlar\u0131 netle\u015ftirin: reverse proxy, uygulama, veritaban\u0131, WAF, CDN.<\/li>\n<li>JWT tasar\u0131m\u0131n\u0131 g\u00fcvenli hale getirin: k\u0131sa \u00f6m\u00fcrl\u00fc access token, HttpOnly refresh token, sa\u011flam anahtar y\u00f6netimi.<\/li>\n<li>CORS\u2019u uygulama de\u011fil, m\u00fcmk\u00fcnse reverse proxy seviyesinde y\u00f6netin; wildcards\u0131z, net origin listeleri olu\u015fturun.<\/li>\n<li>Rate limiting\u2019i IP + kullan\u0131c\u0131 + endpoint kombinasyonu ile d\u00fc\u015f\u00fcn\u00fcn; 429 cevaplar\u0131n\u0131 geli\u015ftirici dostu hale getirin.<\/li>\n<li>WAF\u2019i \u00f6nce g\u00f6zlem modunda, sonra kademeli olarak engelleme moduna al\u0131n; API\u2019ye \u00f6zel kurallarla zenginle\u015ftirin.<\/li>\n<li>Loglama ve izleme olmadan hi\u00e7bir kural\u0131n ger\u00e7ek etkisini \u00f6l\u00e7emezsiniz; merkezi log ve alarm mimarisini mutlaka kurun.<\/li>\n<\/ul>\n<p>E\u011fer yeni bir API projesine ba\u015fl\u0131yorsan\u0131z, DCHost \u00fczerindeki VPS veya dedicated sunucu se\u00e7enekleriyle; tek VPS\u2019ten ba\u015flay\u0131p, zaman i\u00e7inde WAF, CDN ve \u00e7oklu sunucuya do\u011fru a\u015famal\u0131 olarak b\u00fcy\u00fcyebilen bir mimari kurabilirsiniz. Mevcut bir projeniz varsa ve JWT, CORS ya da WAF ayarlar\u0131nda s\u00fcrekli sorun ya\u015f\u0131yorsan\u0131z, \u00f6nce k\u00fc\u00e7\u00fck bir staging ortam\u0131 a\u00e7\u0131p, bu yaz\u0131daki ad\u0131mlar\u0131 orada denemenizi; ard\u0131ndan canl\u0131ya kademeli ge\u00e7i\u015f yapman\u0131z\u0131 \u00f6neriyoruz.<\/p>\n<p>API g\u00fcvenli\u011fi taraf\u0131nda mimariyi birlikte g\u00f6zden ge\u00e7irmek, mevcut DCHost altyap\u0131n\u0131z \u00fczerinde neler iyile\u015ftirilebilece\u011fini konu\u015fmak isterseniz, ekibimiz pratik \u00f6neriler ve ger\u00e7ek\u00e7i bir yol haritas\u0131 ile yan\u0131n\u0131zda olmaya haz\u0131r.<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>\u0130&ccedil;indekiler1 API G\u00fcvenli\u011fi \u0130\u00e7in Do\u011fru Hosting Mimarisi Neden Kritik?2 Mimari Temel: API Sunucusu, Reverse Proxy, WAF ve A\u011f Segmentasyonu2.1 TLS Zorunlulu\u011fu ve HTTP G\u00fcvenlik Ba\u015fl\u0131klar\u01313 Kimlik Do\u011frulama ve Yetkilendirme Katman\u0131: JWT Tasar\u0131m\u0131n\u0131 Do\u011fru Kurmak3.1 JWT Yap\u0131s\u0131: Hangi Alanlar, Hangi S\u00fcreler?3.2 Access Token \u2013 Refresh Token Ayr\u0131m\u01313.3 JWT Anahtar Y\u00f6netimi ve Rotasyon4 CORS Mimarisi: Frontend, API [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":4849,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-4848","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-teknoloji"],"_links":{"self":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4848","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/comments?post=4848"}],"version-history":[{"count":0,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/posts\/4848\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media\/4849"}],"wp:attachment":[{"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/media?parent=4848"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/categories?post=4848"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dchost.com\/blog\/wp-json\/wp\/v2\/tags?post=4848"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}