Hi, hui, I created a PR[1] to recommend user to change `admin_key`, and only allows 127.0.0.1 to access admin API.
And yes, the admin API should use https by default, welcome OR. [1] https://github.com/apache/incubator-apisix/pull/1458 Thanks, Ming Wen, Apache APISIX & Apache SkyWalking Twitter: _WenMing hui li <yo...@apache.org> 于2020年4月15日周三 下午5:34写道: > Hi, the security department of Tencent recently discovered that Kong's > Admin component has security risks. For details, please refer to this link: > https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw > I read the preliminary article and think that our APISIX Admin API has the > same risks. > > 1. The old version of APISIX Admin does not use authentication > capabilities, it is recommended: upgrade to the new version > 2. In the new version of APISIX, many users will use the default key, and > the protection capabilities are virtually useless. It is recommended that > the best practice document guide users to replace the key. If possible, > APISIX nodes that provide services to the outside need to turn off the > Admin API capability, and only APISIX nodes that are allowed internal > access provide APISIX Admin API > 3. The Admin API uses https access capability by default, because https can > effectively prevent key leakage caused by request hijacking. >
