Authorization header is not removed before the request is sent to target system

Severity
High
Applies to
Proxy
Links
CWE-201

Why This Issue Is Important

In an Apigee proxy, the Authorization header is often used to authenticate requests from consumers. However, if this header is not removed before the request is sent to the target system, it can lead to unintended exposure of sensitive information. Passing the Authorization header along to the target system can be a trust boundary violation, as it may expose credentials or tokens that were intended only for the Apigee layer. This can result in unauthorized access or disclosure of confidential data, which is a significant security risk.

Ensuring that the Authorization header is removed before forwarding the request to the target system is crucial for maintaining data confidentiality and adhering to security best practices. This practice helps prevent the unintended sharing of sensitive information with external systems, reducing the risk of security breaches.

How This Issue Is Detected

CodeSent scans the flow to identify steps where the Authorization header is accessed.

The tool checks whether the Authorization header is removed or override in any subsequent steps before the request is forwarded to the target system.

If the Authorization header is not removed, CodeSent flags this as a potential risk.

How to Fix the Issue

To fix this issue, you should ensure that the Authorization header is removed before the request is sent to the target system.