2

I am setting up an NGINX reverse proxy, which sits in front of an API. I would like to use:

proxy_set_header X-Secret-Key ${SECRET_VALUE};

to add a token to the request, which is then read by the API. ${SECRET_VALUE} is pulled from a secrets vault and injected into the conf file at runtime. For the purposes of this question, we can assume the secrets vault is secure. We can also assume that the API does not do anything silly, like add X-Secret-Key to the response headers, and that the connection between the reverse proxy and the API is secure.

My question: is there any way that an attacker can view request headers added by the proxy in this way? Or are they only visible to the proxy itself and the API?

Many thanks.

Glorfindel
  • 2,235
  • 6
  • 18
  • 30
Lachy
  • 121
  • 2

3 Answers3

1

... an attacker ...

There is no generic attacker and there is no generic attack target. If you mean an attacker in front of the proxy then they will not be able to access the API key provided " that the API does not do anything silly".

If the attacker can compromise the proxy though or can use an information leak in the proxy with access to the key then the attacker can get access to the key. If it is possible to compromise the proxy or if there is a key-leaking information leak is unknown just based on your description.

Also, if the attacker is between proxy and API they might be able to get access to the API key too, depending on how well the connection between proxy and API is protected against MITM attacks.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
1

If https is used, then the connection is over SSL/TLS. In that case, SSL/TLS provides authenticity, integrity, and confidentiality for all request headers and response headers, just as it does for the request bodies and response bodies. Only the endpoints of the SSL/TLS connection can see the plaintext of these; and (for all intents and purposes) these are secure against eavesdropping and tampering by a MITM attacker.

mti2935
  • 19,868
  • 2
  • 45
  • 64
  • Thanks for the reply. In this case, I don't want even legitimate users to be able to see the secret: it is authenticating the proxy with the API. Authentication of users is happening elsewhere. – Lachy Mar 22 '21 at 15:30
0

A server side vulnerability in your API could allow an attacker to read the request headers. For example, an injection vulnerability allows attacker generated code to run on the server. This could be tweaked to view the request headers. To mitigate this (and potentially other vulnerabilities), take your API through the OWASP Web Security Testing Guide. Also, address any platform specific items on OWASP for your API.

IMO, I'd be less concerned with MITM attack techniques. This should already be mitigated since HTTPS security is so easy to deploy. Be sure you're using secure protocols and ciphers! Exploitation at this level indicates far greater issues. Not saying it doesn't happen; just saying that someone inserting themselves between your web proxy and API indicates a serious incident; more severe then simply reading HTTP request headers as they would have access to everything.

phbits
  • 1,002
  • 2
  • 5
  • 12