Al usar AWS re:Post, aceptas las AWS re:Post Términos de uso
AWS re:Postre:Post

x-api-key for Usage Plans

0

I am planning to write a custom authorizer which returns in one of it's response, the api-key for usage plans purposes

can our client send the x-api-key in the path parameter?
e.g.
https://our.api.amazon.com/api/v1/greetings/<this-is-x-api-key>/sayHello

is there any security risk of having it in the path parameter?

Temas
Sin servidorWeb y móvil front-endRedes y entrega de contenido
Etiquetas
Amazon API Gateway
Idioma
English
Johnson965
preguntada hace 5 años300 visualizaciones
1 Respuesta
1

can our client send the x-api-key in the path parameter?

You do have access to the path parameters in a request authorizer, so yes. You could also have your customers send a completely distinct value from the api key and do a cross reference in an internal data store if you so choose, meaning that your customer would never send the actual key directly.

is there any security risk of having it in the path parameter?

Only if this is the only form of authentication you are using on your API (which we do not recommend). URLs are logged in most proxy server implementations, meaning that if a customers traffic is going through a proxy of some kind their keys would be exposed to the proxy owner.

Regards,
Bob

EXPERTO
AWS-User-0395676
respondido hace 5 años

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas

Contenido relevante