DEV Community

Cover image for Explain Aws API Gateway vulnerabilities Like I'm Five
Muhammad Shakeel
Muhammad Shakeel

Posted on

Explain Aws API Gateway vulnerabilities Like I'm Five

I have used API gateway to build business logic for my app that invokes lambda function. For security assurance, I have generated a VAT report of the base URL of API from my cyber security expert. A total of 9 Vulnerabilities have been detected including Four Medium, three low-level, and two informational-level vulnerabilities have been identified.

  1. (CSP) Wild Card Directive
  2. Content Security Policy (CSP) Header Not Set
  3. Cross-Domain Misconfiguration
  4. Missing Anti-clickjacking Header
  5. Server Leaks Information via “X-Powered-By” HTTP Response Header Field(s)
  6. Timestamp Disclosure – Unix
  7. X-Content-Type-Options Header Missing
  8. Charset Mismatch
  9. Re-examine Cache Directives

how can remove these all Vulnerability ? is there a need to set or define custom headers? ( if yes then where and how I can do that, either be in API Gateway console or lambda script or in my client or app side code where this API Gateway base URL is invoking ) ?

Top comments (1)

Collapse
 
shakeel0581 profile image
Muhammad Shakeel • Edited

Hi !
So I found some solution from aws repost.

It depends on your requirements and whether you expect the headers to be sent as part of the client request or need to add the headers before the request hits the API Gateway.

If you need to block client requests if some headers are missing, you can associate a WAF ACL with the API Gateway and define rules to block requests without mandatory headers

Look at these two for guidance

docs.aws.amazon.com/apigateway/lat...

aws.amazon.com/premiumsupport/know...

If the requirement is that the headers need to be added to the request before the request reaches the API Gateway even if the client did not send the headers, you can do so using Lambda@Edge with a Cloudfront distribution in front of your API Gateway.

Look at these for guidance

aws.amazon.com/blogs/networking-an... (this example shows response headers but you can use similar concepts to the request headers with some changes)

docs.amazonaws.cn/en_us/AmazonClou...

Some examples of Lambda@Edge functions - docs.aws.amazon.com/AmazonCloudFro...