While testing I noticed that it is possible to add 3 letters for the “API-KEY” http header
and pass several requests at the same time.
→ expected result: allow only API-key value
how to fix this issue ?
Hi @houaida_youssef and welcome to the community.
To fix the issue, you have to set the hash_key_function in your gateway config file to any of the possible values: murmur64, murmur128, sha256. Be aware that the higher the hashing algorithm, the slower the performance.
Also, set the hash_key_function_fallback value to be an array with an empty string as the only element.
In summary:
"hash_key_function": "murmur64",
"hash_key_function_fallback": [""]
Hope this helps.
hello
I added hash_key_function and hash_key_function_fallback under tyk.conf Unfortunately that didn’t work
knowing that tyk version is 3.1.2
Did you restart the gateway, delete and recreate the API-Key?
The key still uses the default hash and including the fallback function just helps to not break existing keys.
Thanks a lot 
it works fine