How to validate header values in the API Gateway request before the integration
Many customers have been trying to restrict the access to APIs on API Gateway from their CloudFront distribution only. The forms of restriction can come as:
- Have an allow list of IP CIDRs that Cloudfront use, but this can be bypassed if the attacker uses a proxy to reach the target
- HTTP Headers, that can be validated in multiple ways as ex:
- Custom Authorizer that will validate the normal authentication header and any extra header that CF could include
- API Gateway in Proxy Mode where the app will deal with the request authentication and any extra header that CF could include
My idea is to validate the header before we hit the integration phase or even waste processing cycles to invoke a lambda function in the custom authorizer if the request didn't come from my trusted source the API Gateway will drop the request earlier.
My current solution that maybe is not ideal is:
Add a required header in the Method Request with something like:
XXXXXXXXXX is a hash that CloudFront inject in the origin request. The header is required and the value can be just
CloudFront or if we are using this mechanism with multiple CDNs we can add the CDN name in the value.
Changing the default response for Bad Parameters to stop returning the name of missing parameter as this name is sensitive now.
Optional mechanism to increase the security is:
- Second HTTP Header with secret in another header
Adding a second header like
X-CDN-KEY with the secret as value. If the request pass by the method request validation from the existence of those 2 headers the request move forward to the integration and the application will process the request.
This approach can potentially reduce costs in processing, reduce latency, reduce the risks of DDOS attacks and increase scalability. But something that would make even better is to validate header values before we hit the integration (and potentially invoke a lambda function or any back-end to process the request)
OpenAPI supports parameters as path, query, header, cookie and they can have schema to validate the parameters values using type, format, regular expressions and static values.
But using API Gateway I didn't see how I can apply a model to a HTTP header and then validate the header value in the method request phase.
Is that possible?
Check out this blog post: https://aws.amazon.com/blogs/compute/protecting-your-api-using-amazon-api-gateway-and-aws-waf-part-2/
How to validate request path parameters for API Gateway in OpenAPI definitionasked 5 months ago
Handel custom header in AWS API Gateway ?Accepted Answerasked 11 days ago
How to define API Gateway to Eventbridge integration?Accepted Answerasked 13 days ago
Why aren't the HTTP headers passed from API Gateway to Step Functions?asked 6 months ago
Cloud Front distribution managed by API Gatewayasked 2 years ago
API Gateway - Gateway response - HTTP APIAccepted Answerasked a year ago
How to validate header values in the API Gateway request before the integrationAccepted AnswerEXPERTasked 2 years ago
What are the benefits of using Amazon CloudFront together with Amazon API Gateway?Accepted Answerasked 2 years ago
CloudFront + API Gateway AWS_IAM AuthorizationAccepted Answerasked a year ago
Protect HTTP Api Gateway with WAFasked 3 months ago