A Trailing Slash Bypassed AWS API Gateway Authorization
Scored daily by a customisable AI persona to surface the most relevant engineering leadership news.
Concrete AWS API Gateway security bypass with immediate fix, highly actionable for cloud engineers.
Security researcher Piyush Gupta demonstrated that a trailing slash on AWS HTTP API paths (e.g., /v1/accounts/ vs /v1/accounts/) bypassed Lambda authorizer authentication, returning 200 with full data instead of 401. The root cause: path normalization mismatch between route matching and authorizer layers caused the authorizer context to drop, leaving userId undefined and defaulting to a system account. The fintech fixed it by switching to REST API and adding independent userId validation in every Lambda, while a Reddit comment noted HTTP API development has been on hold for years, raising concerns about future fixes.
- Validate authorizer context fields independently in every backend Lambda, and consider REST API over HTTP API for sensitive routes.
For a Solutions Architect using AWS API Gateway, this highlights a critical security gap in HTTP API's architecture that could lead to data exposure if not mitigated with defense-in-depth validation.