Block Special character in request body in TYK-gateway

Hi There,

We are trying to solve one security defects on TYK apigateway level i.e

if we request API using postman<script>alert(1)</script>

we are still getting the response for the records do we have any security configuration on TYK gateway level so that we can blacklist <script>alert(1)</script> ?

Rohit Thakur

I did it with this definition:


API call:

$ curl --globoff -X GET “http://tyk-gateway.localhost:8080/httpcodes/anything/Location=xyz
“customErrorTemplate”: “This is a custom error response template for HTTP 403 responses using JSON”,
“error”: “Requested endpoint is forbidden”

The definition:

Correct API is like this if I wants to block <script>alert(1)</script> then how should I do it in TYK community edition ?

Sorry, missed your message. Hope you managed, but in general, it’s the same.
You can check it in this doc

"url_rewrites": [{
  "path": "match/me",
  "method": "GET",
  "match_pattern": "(\w+)/(\w+)",
  "rewrite_to": "my/service?value1=$1&value2=$2"
  • match_pattern: This is the actual capture group to generate. This is a pure regex, in this case we are capturing two-word groups.