Re: [Apiman-user] How to solve the conflict about CORS and the X-API-Key in header?

Hi Celso, The query string is encrypted with SSL/TLS. Regards, Marc On 2 October 2017 at 17:40, Celso Agra <celso.agra(a)gmail.com&gt; wrote: > Yeah! It is! My concern is because I'm passing the apiKey as a query > param. > > I don't know if requests works like this in ssl requests, but I believe > that query params can be viewed if you have a sniffer, unlike header params. > > So, I'm probably have to allow X-API-Key header in Apiman requests. Would > be possible to add this feature in a plugin or maybe in the Apiman? I'll > take a look in some classes to know how to do that. > > I'd like to know if it is a feature that will contribute with the project. > > Thanks for your answer Marc. > > Best Regards, > > Celso Agra > > > 2017-10-02 9:18 GMT-03:00 Marc Savy <marc.savy(a)redhat.com&gt;: > >> If I understand your questions correctly: by default CORS does not allow >> any custom headers to be sent in the request. This means that Apiman does >> not receive the X-API-Key header and necessarily can't figure out how to >> route the request. The same CORS restriction does not exist with query >> parameters so if you provide it with the query param you'll be okay. >> >> Perhaps a (partial) solution to some of these kinds of CORS issues is >> for Apiman to always indicate that the X-API-Key header is allowed. >> >> Regards, >> Marc >> >> On 27 September 2017 at 05:35, Celso Agra <celso.agra(a)gmail.com&gt; wrote: >> >>> Hi all, >>> >>> I got some errors with CORS plugin when I try to use my API with a >>> contract. >>> >>> So, I consume my API passing info through header, such as: >>> Authorization, Content-Type, and X-API-Key. >>> I'm talking about a javascript application. So, CORS is a problem for >>> that language. >>> >>> When I configure my contract to allow Cross-Origin, the error still >>> there, but if I put my X-API-Key, as a query parameter, the CORS works fine. >>> Does anyone could help me to understand that? >>> >>> I'm concerned to pass my contract as a query parameter. It should be on >>> Header of my Http Request. >>> Please, help me to understand if it is a behaviour of the application >>> and how can I solve this without use query param. >>> >>> Best Regards, >>> >>> -- >>> --- >>> *Celso Agra* >>> >>> _______________________________________________ >>> Apiman-user mailing list >>> Apiman-user(a)lists.jboss.org >>> https://lists.jboss.org/mailman/listinfo/apiman-user >>> >>> >> > > > -- > --- > *Celso Agra* >