Hi, the security department of Tencent recently discovered that Kong's Admin component has security risks. For details, please refer to this link: https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw I read the preliminary article and think that our APISIX Admin API has the same risks.
1. The old version of APISIX Admin does not use authentication capabilities, it is recommended: upgrade to the new version 2. In the new version of APISIX, many users will use the default key, and the protection capabilities are virtually useless. It is recommended that the best practice document guide users to replace the key. If possible, APISIX nodes that provide services to the outside need to turn off the Admin API capability, and only APISIX nodes that are allowed internal access provide APISIX Admin API 3. The Admin API uses https access capability by default, because https can effectively prevent key leakage caused by request hijacking.
