Layer7 API Management

Hi!

I am publishing our APIs by the Portal and setting the security to use API Key.

However, the auto generated policy that validate the API Key gets the Key only from the query parameter.

Is there a way to change the auto generated policy to get the Key from the header (without to do it mannualy by Policy Manager)?

For our scenario this is a security issue, because the API Key can be easily captured when it is used as a query parameter.

Thanks in advance!

César Piau

Dear Piau ,

I double check the default "API Portal Integration Fragment - API Key" (on portal 4.2.7.4), the apikey  in query string, or in posted form data, or in header, are all supported.

What's the version of your portal?

Regards,

Mark

Hi Mark,

We are still using version 3.1 here in CAIXA.

The fragment below is the "auto generated policy" when I publish an API by Portal.

There are only 3 ways to capture the API Key from request: ${request.http.parameter.apikey}, ${session.client_id} and ${oauth_consumer_key}.

Regards,

Piau

then it supports query string,  form data -- ${request.http.parameter.<name>} supports both query string and form data parameter

Mark,

Using form data is not a good idea because my body message can not be changed. Here in Caixa, for security parameters, we decide that header is the best choice.

Is there a way to change the auto generated policy to get the Key from the header (without to do it mannualy by Policy Manager)? Maybe some config or template change.

Regards,

Piau

I understand, but this is how 3.1 design, you may need to customize the template policy to get apikey from ${request.http.header.apikey}, rather than ${request.http.parameter.apikey}