Block requests with same X-Request-Id?


#1

Hi all!

Two questions here from my side.

  1. Does is make sense to block on API gateway requests with duplicate X-Request-Ids?

  2. If so, how do I configure this on Tyk API gateway?

Many thanks – Robin


#2

Hi Robin,

Perhaps this can be achieved by writing a custom middleware.

Can you provide some more information ? There might be an other workaround as well on what you want to achieve.

Thanks,
Kos @ Tyk Support Team


#3

Hi Robin,

This isn’t directly possible without some custom code, however, stopping duplicate requests if the correlation ID has been seen already is a good way to try and avoid replay attacks.

One option, without using correlation IDs and new middleware, is to use HMAC signatures, because timestamps are embedded in the signature, and you can configure a clock skew, so replay attacks are hard to perform.

Cheers,
Martin


#4

Hi Martin and Kos,

Thanks for both your answers – the first thing I’d like to understand if what I am proposing is such an uncommon approach since it is not supported out-of-the-box by (many) API gateways… Maybe I am missing something?

My main goals are indeed replay of requests and to support request idempotency (prevent accidental submission).

While Martin’s solution does address my first requirement (replay), it does not tackle the 2nd…

Best – Robin


#5

We’ll open this as a feature request on our GitHub repo to see it in a future version (https://github.com/TykTechnologies/tyk/issues/740)