Hello,
The current documentation for Eramba connecting to an (external) API gateway is currently using API keys to communicate.
Content-Type: application/json
Authorization: Basic
When looking at key security requirements based on OWASP API Security they specifically mention:
https://api.gov.au/standards/national_api_standards/api-security.html
“API keys SHOULD NOT be included in the URL or query string. API keys SHOULD be included in the HTTP header as query strings may be saved by the client or server in unencrypted format by the browser or server application”.
Could you please let me know if there is any other method to securely connect to another external API gateway through Eramba Webhook requests.
strong text
Potential Mitigation:
Implement an alternative solution (e.g. OAuth) to communicate with an external API gateway.