Can I disable using URL parameters for key-auth?
Using keys in URL in parameters is not recommended as they can be written to logs, caches, history etc.:
https://www.owasp.org/index.php/Information_exposure_through_query_strings_in_url
Disable URL parameters for key-auth
1 Like
This is something you would control from the client.
You can write a custom plugin or use serverless plugin to strip out the key from querystring (if present) while the request is proxied via Kong.
Yes, if I control the client then I can use headers rather than the query string.
If I don’t control the client then I would like to prevent the client from doing things that are not recommended from a security point of view.
Have you considered using the request-transformer plugin to remove the API key from the query string?