Able to get data while putting the api key concatenated with some letters

While testing I noticed that it is possible to add 3 letters for the “API-KEY” http header
and pass several requests at the same time.
→ expected result: allow only API-key value
how to fix this issue ?

Hi @houaida_youssef and welcome to the community.

To fix the issue, you have to set the hash_key_function in your gateway config file to any of the possible values: murmur64, murmur128, sha256. Be aware that the higher the hashing algorithm, the slower the performance.

Also, set the hash_key_function_fallback value to be an array with an empty string as the only element.

In summary:

"hash_key_function": "murmur64",
"hash_key_function_fallback": [""]

Hope this helps.

I added hash_key_function and hash_key_function_fallback under tyk.conf Unfortunately that didn’t work
knowing that tyk version is 3.1.2

Did you restart the gateway, delete and recreate the API-Key?

The key still uses the default hash and including the fallback function just helps to not break existing keys.

Thanks a lot :slight_smile: it works fine