1 回答
- 最新
- 投票最多
- 评论最多
0
You haven't mentioned which type of API Gateway you're using (REST or HTTP).
If using a REST API Gateway you can validate the request including the headers. So to prevent request smuggling you could block requests that have a header where "Transfer-Encoding" is "chunked".
相关内容
- AWS 官方已更新 2 年前
- AWS 官方已更新 1 年前
- AWS 官方已更新 2 年前
We also encountered the same issue during a security assessment. It appears that the AWS API gateway inherently drops the Transfer-Encoding header. Consequently, we were unable to implement request validation as suggested or enable WAF on the API gateway and add a rule to block requests with "Transfer-Encoding" set to "chunked". We were unable to find any references indicating that API gateways inherently drop the Transfer-Encoding header.
That's covered on this page in the documentation.