Ao usar o AWS re:Post, você concorda com os AWS re:Post Termos de uso
AWS re:Postre:Post

x-api-key for Usage Plans

0

I am planning to write a custom authorizer which returns in one of it's response, the api-key for usage plans purposes

can our client send the x-api-key in the path parameter?
e.g.
https://our.api.amazon.com/api/v1/greetings/<this-is-x-api-key>/sayHello

is there any security risk of having it in the path parameter?

Tópicos
Sem servidorWeb e dispositivos móveis front-endRede e entrega de conteúdo
Tags
Gateway do Amazon API
Idioma
English
Johnson965
feita há 5 anos307 visualizações
1 Resposta
1

can our client send the x-api-key in the path parameter?

You do have access to the path parameters in a request authorizer, so yes. You could also have your customers send a completely distinct value from the api key and do a cross reference in an internal data store if you so choose, meaning that your customer would never send the actual key directly.

is there any security risk of having it in the path parameter?

Only if this is the only form of authentication you are using on your API (which we do not recommend). URLs are logged in most proxy server implementations, meaning that if a customers traffic is going through a proxy of some kind their keys would be exposed to the proxy owner.

Regards,
Bob

ESPECIALISTA
AWS-User-0395676
respondido há 5 anos

Você não está conectado. Fazer login para postar uma resposta.

Uma boa resposta responde claramente à pergunta, dá feedback construtivo e incentiva o crescimento profissional de quem perguntou.

Diretrizes para responder a perguntas

Conteúdo relevante