Block requests with same X-Request-Id?

Hi all!

Two questions here from my side.

  1. Does is make sense to block on API gateway requests with duplicate X-Request-Ids?

  2. If so, how do I configure this on Tyk API gateway?

Many thanks – Robin

Hi Robin,

Perhaps this can be achieved by writing a custom middleware.

Can you provide some more information ? There might be an other workaround as well on what you want to achieve.

Thanks,
Kos @ Tyk Support Team

Hi Robin,

This isn’t directly possible without some custom code, however, stopping duplicate requests if the correlation ID has been seen already is a good way to try and avoid replay attacks.

One option, without using correlation IDs and new middleware, is to use HMAC signatures, because timestamps are embedded in the signature, and you can configure a clock skew, so replay attacks are hard to perform.

Cheers,
Martin

Hi Martin and Kos,

Thanks for both your answers – the first thing I’d like to understand if what I am proposing is such an uncommon approach since it is not supported out-of-the-box by (many) API gateways… Maybe I am missing something?

My main goals are indeed replay of requests and to support request idempotency (prevent accidental submission).

While Martin’s solution does address my first requirement (replay), it does not tackle the 2nd…

Best – Robin

We’ll open this as a feature request on our GitHub repo to see it in a future version (https://github.com/TykTechnologies/tyk/issues/740)