TL;DR

  • validate the app behind the sidecar and environment proxy first
  • only then wire it into the main gateway
  • keep the gateway focused on TLS termination, host routing, and headers
  • keep rollback simple by preserving the earlier internal validation path