By using AWS re:Post, you agree to the Terms of Use

Hide x-amzn-errortype in response headers on API Gateway



For security purposes, I am trying to make an INVALID_API_KEY response match a 404 response, however I can see that the underlying error type is exposed in the x-amzn-errortype response header

The reason for doing this is to prevent users without valid authn/authz users from learning which resource routes exist on the API when:

  1. they call the API with a missing or invalid API key; or
  2. they are not authorized to access a specific route with their API key

Is this possible? Thanks!

1 Answers

Unfortunately, the header is not customizable in API Gateway. Also, I looked into using CloudFront/Lambda@Edge to modify the header but that header is one of the disallowed headers to modify. Therefore, it is not possible to use Lambda@Edge to modify.

For REST API, if a client invokes an API with a non-existing route, they get MissingAuthenticationTokenException. This is returned whether or not a client uses an API key. Also, if a client invokes an API route with an invalid API key, the ForbiddenException error is returned. It does not tell the client that they are using a wrong API key. I don't think either of the above exposes that a client is using a wrong key or wrong route. Also, as you may be doing now, you can customize API error responses with gateway responses so you can use different status code, headers, etc.

answered 22 days ago
  • Upon further investigation, I find that you don't need to supply a valid API key to expose resource routes for any given API - private or public. This seems to be a security flaw with API Gateway. What is the process to have this addressed ASAP?

    i.e. if I call the API with an invalid API key (any random generated text) and I hit a Resource Route that exists I get a ForbiddenException error header response. If I hit a Resource Route that does not exist, I get a MissingAuthenticationTokenException error header response.

    This shows that even with an invalid API key that is garbage text, I am able to discover resource routes on a private API that requires an API Key for all resource routes

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions