x-api-key for Usage Plans

0

I am planning to write a custom authorizer which returns in one of it's response, the api-key for usage plans purposes

can our client send the x-api-key in the path parameter?
e.g.
https://our.api.amazon.com/api/v1/greetings/<this-is-x-api-key>/sayHello

is there any security risk of having it in the path parameter?

1개 답변
1

can our client send the x-api-key in the path parameter?

You do have access to the path parameters in a request authorizer, so yes. You could also have your customers send a completely distinct value from the api key and do a cross reference in an internal data store if you so choose, meaning that your customer would never send the actual key directly.

is there any security risk of having it in the path parameter?

Only if this is the only form of authentication you are using on your API (which we do not recommend). URLs are logged in most proxy server implementations, meaning that if a customers traffic is going through a proxy of some kind their keys would be exposed to the proxy owner.

Regards,
Bob

전문가
답변함 5년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠