SDS - Expose to API key in header-value

Question

SDS - Expose to API key in header-value

Closed this issue 4 years ago · 3 comments

While sending the request, we are passing the apikey in header and its value is getting exposed.

Steps to reproduce -
Send GET: https://int.api.service.nhs.uk/spine-directory/Endpoint
Query Parameters - org-code -YGMYH and service-id - eg. urn:nhs:names:services:gp2gp:COPC_IN000001UK01
Header - apikey - myG6cYQthVUzGeA0sHcCVPp3aSSZItF3

Expected Result- apikey should not be exposed
Actual Result - apikey is displayed in each request.

Answer 1 · 2020-10-28T12:58:00.000Z

@sonalnegivarma where is the apikey exposed?

Answer 2 · 2020-11-02T11:56:33.000Z

we are passing api key in request headers for authentication against SDS API endpoint

Answer 3 · 2020-11-04T09:58:13.000Z

SDS api authenticated with APi key only.When using postman it is visible to us.When you integrate SDS with product it can be passed as secret.