1 réponse
- Le plus récent
- Le plus de votes
- La plupart des commentaires
0
You haven't mentioned which type of API Gateway you're using (REST or HTTP).
If using a REST API Gateway you can validate the request including the headers. So to prevent request smuggling you could block requests that have a header where "Transfer-Encoding" is "chunked".
Contenus pertinents
- Réponse acceptéedemandé il y a 2 ans
- demandé il y a un an
- demandé il y a un an
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a 7 mois
- AWS OFFICIELA mis à jour il y a 2 ans
- AWS OFFICIELA mis à jour il y a un an
We also encountered the same issue during a security assessment. It appears that the AWS API gateway inherently drops the Transfer-Encoding header. Consequently, we were unable to implement request validation as suggested or enable WAF on the API gateway and add a rule to block requests with "Transfer-Encoding" set to "chunked". We were unable to find any references indicating that API gateways inherently drop the Transfer-Encoding header.
That's covered on this page in the documentation.