- Mais recentes
- Mais votos
- Mais comentários
Unfortunately, the header is not customizable in API Gateway. Also, I looked into using CloudFront/Lambda@Edge to modify the header but that header is one of the disallowed headers to modify. Therefore, it is not possible to use Lambda@Edge to modify.
For REST API, if a client invokes an API with a non-existing route, they get MissingAuthenticationTokenException.
This is returned whether or not a client uses an API key. Also, if a client invokes an API route with an invalid API key, the ForbiddenException
error is returned. It does not tell the client that they are using a wrong API key. I don't think either of the above exposes that a client is using a wrong key or wrong route. Also, as you may be doing now, you can customize API error responses with gateway responses so you can use different status code, headers, etc.
Conteúdo relevante
- AWS OFICIALAtualizada há 3 anos
- AWS OFICIALAtualizada há 2 meses
- AWS OFICIALAtualizada há 2 anos
Upon further investigation, I find that you don't need to supply a valid API key to expose resource routes for any given API - private or public. This seems to be a security flaw with API Gateway. What is the process to have this addressed ASAP?
i.e. if I call the API with an invalid API key (any random generated text) and I hit a Resource Route that exists I get a
ForbiddenException
error header response. If I hit a Resource Route that does not exist, I get aMissingAuthenticationTokenException
error header response.This shows that even with an invalid API key that is garbage text, I am able to discover resource routes on a private API that requires an API Key for all resource routes