Beginner: Isn’t the default Route Path Matching Behavior a Security Exposure?
- My expectation is that the security and integrity of configured services is paramount. That exposing additional upstream endpoints should require an overt configured element.
- What I’m finding is that the default Prefix-Path matching behavior appends everything after the matched path to the upstream URI.
- And so if I don’t want this behavior – deeming it a security risk to allow any trailing URI to be sent to the upstream service – then I must configure every single route with a Regex end-of-string anchor in order to force strict path matching.
This seems to me a security issue. But it has likely always been this way and I don’t see it addressed anywhere … so then I feel like I’m missing something obvious. I’m anxious to understand what I might be missing.
Understanding this has already been implemented, I would still expect to be able to control this behavior through a Configuration setting. I guess once we get CI/CD in place, then I can enforce that “rule” that all routes must included end-of-string anchor. But I still think the default should be to not expose extra unless commanded through something overt.