By using AWS re:Post, you agree to the Terms of Use
/How to validate header values in the API Gateway request before the integration/

How to validate header values in the API Gateway request before the integration


Many customers have been trying to restrict the access to APIs on API Gateway from their CloudFront distribution only. The forms of restriction can come as:

  • Have an allow list of IP CIDRs that Cloudfront use, but this can be bypassed if the attacker uses a proxy to reach the target
  • HTTP Headers, that can be validated in multiple ways as ex:
    • Custom Authorizer that will validate the normal authentication header and any extra header that CF could include
    • API Gateway in Proxy Mode where the app will deal with the request authentication and any extra header that CF could include

My idea is to validate the header before we hit the integration phase or even waste processing cycles to invoke a lambda function in the custom authorizer if the request didn't come from my trusted source the API Gateway will drop the request earlier.

My current solution that maybe is not ideal is:

Add a required header in the Method Request with something like: X-CDN-XXXXXXXXXX where XXXXXXXXXX is a hash that CloudFront inject in the origin request. The header is required and the value can be just CloudFront or if we are using this mechanism with multiple CDNs we can add the CDN name in the value.

Changing the default response for Bad Parameters to stop returning the name of missing parameter as this name is sensitive now.

Optional mechanism to increase the security is:

  • Second HTTP Header with secret in another header

Adding a second header like X-CDN-KEY with the secret as value. If the request pass by the method request validation from the existence of those 2 headers the request move forward to the integration and the application will process the request.

This approach can potentially reduce costs in processing, reduce latency, reduce the risks of DDOS attacks and increase scalability. But something that would make even better is to validate header values before we hit the integration (and potentially invoke a lambda function or any back-end to process the request)

OpenAPI supports parameters as path, query, header, cookie and they can have schema to validate the parameters values using type, format, regular expressions and static values.

But using API Gateway I didn't see how I can apply a model to a HTTP header and then validate the header value in the method request phase.

Is that possible?