Intercept calls to authenticated 3rd-party APIs, to automatically add auth keys?

Ask Question

Asked 1 year, 2 months ago

Modified 1 year, 2 months ago

Viewed 74 times

Is this a good approach to preventing the leakage of secrets?

Say I had a simple setup where Alice holds the secret to access Bob, and Charlie has basic shell access to Alice (with a different auth method). Charlie echoing "$BOB_SECRET" should fail. But when he http POST https://bob.server before the packet leaves the network card it will have additional http headers attached such that the request succeeds.

If this is a good approach, I suppose I could use mitmproxy, envoy or traefik to implement…

asked Aug 20, 2024 at 20:00

Samuel Marks

1134 bronze badges

Welcome to the community. Why did you think that this traffic cannot be inspected?

Sir Muffington
– Sir Muffington

2024-08-21 18:02:18 +00:00
Commented Aug 21, 2024 at 18:02
A -> B; B-> C. B adds a secret. A never sees it.

Samuel Marks
– Samuel Marks

2024-08-24 19:08:50 +00:00
Commented Aug 24, 2024 at 19:08
And gets no response?

Sir Muffington
– Sir Muffington

2024-08-25 11:50:42 +00:00
Commented Aug 25, 2024 at 11:50
C can send a response back to A indirectly going through B first.

Samuel Marks
– Samuel Marks

2024-08-25 20:06:32 +00:00
Commented Aug 25, 2024 at 20:06

Add a comment |

0 You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.

Stack Exchange Network

Intercept calls to authenticated 3rd-party APIs, to automatically add auth keys?

0

You must log in to answer this question.

Hot Network Questions