Miss-you opened a new issue #1455: bug: APISIX Admin API security risks URL: https://github.com/apache/incubator-apisix/issues/1455 Hi, the security department of Tencent recently discovered that Kong's Admin component has security risks. For details, please refer to this link: https://mp.weixin.qq.com/s/Ttpe63H9lQe87Uk0VOyMFw I read the preliminary article and think that our APISIX Admin API has the same risks. 1. The old version of APISIX Admin does not use authentication capabilities, it is recommended: upgrade to the new version 2. In the new version of APISIX, many users will use the default key, and the protection capabilities are virtually useless. It is recommended that the best practice document guide users to replace the key. If possible, APISIX nodes that provide services to the outside need to turn off the Admin API capability, and only APISIX nodes that are allowed internal access provide APISIX Admin API 3. The Admin API uses https access capability by default, because https can effectively prevent key leakage caused by request hijacking.
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services
