Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Management : Option to disallow the api-key in query params #2446

Gwalchmei opened this issue Jul 9, 2019 · 2 comments · Fixed by gravitee-io/gravitee-gateway#440


Copy link

commented Jul 9, 2019

As an administrator, I don't want my clients to pass their api keys in the query params ?api-key but only in the HTTP Header.

Expected Behavior

Add a parameter in the global settings to allow/disallow keys in query params. If the ?api-key is not allowed, the gateway could return a 400 Bad Request

Steps to Reproduce (for bugs)

  1. Create an API with a plan secured with ApiKey
  2. Subscribe to the plan and retrieve the key
  3. Hit the API with the key passed in the query params


The keys in the query params are always readable but the http headers are encrypted when sent over SSL.


This comment has been minimized.

Copy link

commented Jul 17, 2019

Hi @Gwalchmei you can already do it by defining an empty configuration:


I keep this issue open as we should do something, at least document it.


This comment has been minimized.

Copy link

commented Aug 7, 2019

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
API Management
Awaiting triage
3 participants
You can’t perform that action at this time.