Usando AWS re:Post, accetti AWS re:Post Termini di utilizzo
AWS re:Postre:Post

x-api-key for Usage Plans

0

I am planning to write a custom authorizer which returns in one of it's response, the api-key for usage plans purposes

can our client send the x-api-key in the path parameter?
e.g.
https://our.api.amazon.com/api/v1/greetings/<this-is-x-api-key>/sayHello

is there any security risk of having it in the path parameter?

Argomenti
ServerlessFront-end web e dispositivi mobiliNetworking e distribuzione di contenuti
Tag
Gateway API di Amazon
Lingua
English
Johnson965
posta 5 anni fa301 visualizzazioni
1 Risposta
1

can our client send the x-api-key in the path parameter?

You do have access to the path parameters in a request authorizer, so yes. You could also have your customers send a completely distinct value from the api key and do a cross reference in an internal data store if you so choose, meaning that your customer would never send the actual key directly.

is there any security risk of having it in the path parameter?

Only if this is the only form of authentication you are using on your API (which we do not recommend). URLs are logged in most proxy server implementations, meaning that if a customers traffic is going through a proxy of some kind their keys would be exposed to the proxy owner.

Regards,
Bob

ESPERTO
AWS-User-0395676
con risposta 5 anni fa

Accesso non effettuato. Accedi per postare una risposta.

Una buona risposta soddisfa chiaramente la domanda, fornisce un feedback costruttivo e incoraggia la crescita professionale del richiedente.

Linee guida per rispondere alle domande

Contenuto pertinente