Whitelist path matching is not strict


I have this api definition
“name”: “Tyk Test API”,
“api_id”: “1234”,
“org_id”: “default”,
“definition”: {
“location”: “header”,
“key”: “version”
“use_keyless”: true,
“auth”: {
“auth_header_name”: “authorization”
“version_data”: {
“not_versioned”: true,
“versions”: {
“Default”: {
“name”: “Default”,
“expires”: “3000-01-02 15:04”,
“use_extended_paths”: true,
“extended_paths”: {
“ignored”: [],
“white_list”: [{
“path”: “header.jsp”,
“method_actions”: {
“GET”: {
“action”: “no_action”,
“code” : 200,
“data” : “”,
“headers” : {}
“black_list”: []
“proxy”: {
“listen_path”: “/sample”,
“target_url”: “http://PF71292:8080/apis”,
“strip_listen_path”: true
“enable_batch_request_support”: true

If I access http://tyk/sample/header.jsp, everything is ok and it access to http://PF71292:8080/apis/header.jsp

But if I try to access http://tyk/sample/header.jsp/aaa, it’s not blocked and the gateway try to access to http://PF71292:8080/apis/header.jsp/aaa

I thought that the matching path in whitelist was strict. Am I wrong ?


Hi @jpill,

You need to indicate where you would like to end the string with a $ symbol in your regex if you don’t want to match every URL that might contain the pattern you’ve whitelisted as a substring.

Kind regards,
Jess @ Tyk

Hi @jess,

It works ! Thanks

King regards