I have created an API and enable the response cache from run time configuration but still gateway sending request to backend API on Version 3.0
The response cache key includes all the headers and request body, hashed. Therefore, if 2 of your requests have at least one different header, it will be a cache miss.
In the case of Postman, it always sends a random value in Postman-Token header. Hense the cache miss always.
Related
I have a get api which takes session id as query params. The session id can expire if used or exceeds the expiration time. In both cases, it should return false as response else true if the session id is valid.
This is a public api.
There is another get api which takes authorization header.
I am getting a problem with the first api that it is always returning true status as response even if the session id is expired or used. So, I believe the response I am getting is from the cloudfront cache instead of the api origin.
Since the first api is http get api, I read on the aws documentation that cloudfront always caches http get method by default. So, I believe this is the reason for the response I am getting.
Since it is a dynamic response, I always want it to be fetched from the origin instead of cache.
Here is my behavior configuration I am using.
Behavior configuration
Allowing authorization header for the second api here.
Cache Policy
Forwarding query string value from request to origin.
Request Policy
When using API-keys and usage plans for AWS API-gateway - is usage plan used even though the authorization method is not using API-keys (I would still pass x-api-key http header to the API)?
I ran into the same question, but I did not find the answer so I did some testing myself. This is what I found: Even if a method is not API Key required, any request sent to the method with API key in header will subject to the usage plan which is associated API key.
The test I did is:
create method A and set requireApiKey to false
set the rate and burst throttling values to 0 for a method A under a usage plan
associate an APIKey K with the usage plan
sent request through PostMan to method A with including K in header, resulted "Too Many Requests" error
sent request through PostMan to method A without including K in header, request succeeded.
As per documentation
When you send an API request to the backend, you pass a token in the Authorization header of the request. The API Gateway uses this token to authorize access, and then drops it from the outgoing message.
link
I want to pass this token to the backend for every published API. What is the correct place to configure such behavior?
Uncomment below configuration in repository/conf/api-manager.xml and set false.
<RemoveOAuthHeadersFromOutMessage>true</RemoveOAuthHeadersFromOutMessage>
From API Manager version 3.0.0 onwards configuration model has been changed. So any changes done in api-manager.xml get reverted after the server restart.
Now we need to change <API-M_HOME>/repository/conf/deployment.toml
Uncomment and set the following lines:
[apim.oauth_config]
enable_outbound_auth_header = true
enable_outbound_auth_header string
Default: FALSE If TRUE, sends Auth header to the backend as received
from the client.
I have a REST API and some of the endpoints take a significant time to generate the responses, so I want to add some response caching and etag support. I have looked at the conditional response implementation in Django and at both response caching and conditional response in DRF extensions package. The problem I am having is that my data changes very frequently on one side, but is also heavily segregated, so if something changes in the response to user A calling endpoint X, nothing might change for users B, C and D calling the same endpoint. Since my data changes often, if I invalidate all responses on every change, I will never hit cache. The endpoints in question all generate lists of JSON objects, so the question is how can I only invalidate cached responses that contain a changed object rather than invalidating all of them?
I have to design an API that will support browser plugins only (latest version of Chrome, Firefox, IE). The API will be served over HTTPS. The API will be using a cookie-based access control scheme.
I am wondering what tactics to employ for CSRF prevention. Specifically, I want my API only to get requests from my own browser plugin itself and not from any other pages/plugins.
Would I be able to:
Assume that in most cases there would be an Origin header?
Would I be able to compare and trust the Origin header to ensure that the requests only come from a white-listed set of Origins?
Would this be compatible across the board (Chrome/Firefox/IE)?
I'm aware of multiple techniques used to prevent CSRF, such as the Synchronizer Token Pattern, but I would like to know in my limited scope above, if simply checking the Origin header would be sufficient?
Thanks in advance!
Set a custom header like X-From-My-Plugin: yes. The server should require its presence. It can be a constant. A web attacker can either:
make the request from the user's browser: this sends the cookie, but they can't send the custom header cross-origin; or
make the request from a different HTTP client: they can send the custom header, but they can't send the cookie because they don't know it
Either way, the attacker's request won't have both the cookie and the custom header.