Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

x-api-key for Usage Plans

0

I am planning to write a custom authorizer which returns in one of it's response, the api-key for usage plans purposes

can our client send the x-api-key in the path parameter?
e.g.
https://our.api.amazon.com/api/v1/greetings/<this-is-x-api-key>/sayHello

is there any security risk of having it in the path parameter?

Themen
ServerlosFrontend-Web & MobileVernetzung & Bereitstellung von Inhalten
Tags
Amazon API-Gateway
Sprache
English
Johnson965
gefragt vor 5 Jahren306 Aufrufe
1 Antwort
1

can our client send the x-api-key in the path parameter?

You do have access to the path parameters in a request authorizer, so yes. You could also have your customers send a completely distinct value from the api key and do a cross reference in an internal data store if you so choose, meaning that your customer would never send the actual key directly.

is there any security risk of having it in the path parameter?

Only if this is the only form of authentication you are using on your API (which we do not recommend). URLs are logged in most proxy server implementations, meaning that if a customers traffic is going through a proxy of some kind their keys would be exposed to the proxy owner.

Regards,
Bob

EXPERTE
AWS-User-0395676
beantwortet vor 5 Jahren

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt