This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

API gateway requiring API Key in headers also allows key passed in query params

Posted on 07-22-2023 12:20 AM
OC_Dev
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

Hi,

I created two different API configs: one requiring API key in query params like 

api_key:
      - type: "apiKey"
      - name: "key"
      - in: "query"

and other requiring the key in headers like

api_key:
      - type: "apiKey"
      - name: "x-api-key"
      - in: "header"

But for each of these configs, the caller can actually pass the key using any of the three methods: passing "key" in query, passing "api_key" in query, passing "x-api-key" in headers; i.e. even though I specify I want the key in headers, API Gateway still allows calls that have the key in query params.

Is this expected? How can I prevent callers from passing the key in query params (to avoid confusion with passing it in headers and as a better security practice to avoid potentially sensitive data in query params)?

0 1 523
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
Marramirez
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

Hi @OC_Dev,

Welcome to the Google Cloud Community!

In Using API Keys, it is noted that unlike credentials that use short-lived tokens, API keys function as part of the API request. As a result, API keys are vulnerable to man-in-the-middle attacks and may not be as secure as other authentication credentials. You can use API keys in addition to other supported forms of authentication. It is not recommended to only use API keys when API calls contain sensitive data. 

You can contact Google Cloud Support to further look into your case. Let me know if it helped, thanks!

0 Likes