Home » Jquery » jquery – Does AWS serverless function (API gateway & Lamda) has security flaw?

jquery – Does AWS serverless function (API gateway & Lamda) has security flaw?

Posted by: admin February 24, 2020 Leave a comment

Questions:

Hi I am a novice user of AWS and this is my dilemma.

I have created a serverless endpoint, I created a lamda function based on “Node.js” (this is a POST request), configured the API gateway and created the stage and finally gave the endpoint URL for client’s to make use of the resource as a RESTFul service.

Users were getting the data and everything was going good till I found out that the users were having a simple HTML page with “JQuery” code embedded into the HTML page and to my surprise, this page had the API key embedded into the header part of the request as “headers: {“x-api-key”: }”.

Is this the ideal way to implement ? as I was able to see the key value when I viewed the source code on Chrome by opening the HTML page.

How to&Answer:

API keys are not meant for security. They are primarily there to support usage plans and handle throttling on a client (api key) by client basis. API keys are not secure, and should not be considered a means of authentication.

Answer:

As Amit pointed out correctly, The api-key that you have shared with your users is generated once and used always. There is no guarantee of where and how it will be used.

If you need tight security, you should use short-lived temporary security credentials. These credentials are valid for a short time (e.g 1 hour) and it expires after that.

It simple as the users will log in via a web page with their username, password combination, the application will receive temporary credentials as a result of a successful login.

These temporary credentials should be used to make the API calls, The API will validate the credentials before granting access to resources.

hope this helps.