Apigee Edge: How to change the location of user-key from query parameters (insecure) to the more secure HTTP(S) headers?

In this blogpost I will be explaining how to change the location of the apikey from the default query parameters (insecure) section to the more secure HTTP(S) headers in the product Apigee Edge by Google.

HTTPS (HTTP over SSL) sends all HTTP content over a SSL tunnel, so HTTP content and headers are encrypted as well

This simple configuration must be changed immediately to avoid sending the apikey in plain text, which is a very bad idea! Also please remind that the full URI’s will typically also appear in all (request) log files.

API keys go by many names. You may see them referred to as ‘User key’, ‘API keys’, ‘app keys’, and ‘consumer keys’. All of these names are synonymous.

Apigee Edge (API Management Platform)
First of all we navigate to the “APIs > API Proxies” section on the Apigee Edge administration portal (https://enterprise.apigee.com/platform/user/). We choose the API Proxy that we want to alter and select the tab “Develop”. Select the policy “VerifyAPIKey”.

Find the following line in the XML-document:

 <APIKey ref="request.queryparam.apikey"/>

and simply change it to:

 <APIKey ref="request.header.apikey"/>




Click on the save button, redeploy the API Proxy and we are done!


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: