SDS - Expose to API key in header-value
Closed this issue · 3 comments
sonalnegivarma commented
While sending the request, we are passing the apikey in header and its value is getting exposed.
Steps to reproduce -
Send GET: https://int.api.service.nhs.uk/spine-directory/Endpoint
Query Parameters - org-code -YGMYH and service-id - eg. urn:nhs:names:services:gp2gp:COPC_IN000001UK01
Header - apikey - myG6cYQthVUzGeA0sHcCVPp3aSSZItF3
Expected Result- apikey should not be exposed
Actual Result - apikey is displayed in each request.
michael-kainos commented
@sonalnegivarma where is the apikey exposed?
sonalnegivarma commented
we are passing api key in request headers for authentication against SDS API endpoint
sonalnegivarma commented
SDS api authenticated with APi key only.When using postman it is visible to us.When you integrate SDS with product it can be passed as secret.