fekitibi opened a new issue, #12533:
URL: https://github.com/apache/apisix/issues/12533
### Description
## Description
This topic was brought up in issue #12484. Currently, Apache APISIX does not
validate the strength of admin keys defined in `conf/config.yaml`.
This means weak keys (e.g. `1234`, `admin`, or very short values) can be
configured without warning, which poses a security risk if the Admin API is
exposed.
## Motivation
- Improve security by ensuring admin keys are not trivially guessable.
- Provide clear feedback to users if their configured key does not meet
minimum requirements.
- Align with best practices for protecting administrative interfaces.
## Proposal
- Add validation logic during initialization of admin keys.
- Define simple rules (for example):
- Minimum length (e.g. 8 or 12 characters).
- Disallow common weak values (e.g. `1234`, `password`, `admin`).
- If a key does not meet requirements:
- Log a warning (or error).
- Optionally fail to start APISIX until corrected.
## Documentation
- Document the validation rules in the Admin API / configuration section.
- Provide examples of strong keys and explicitly warn against weak values.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: notifications-unsubscr...@apisix.apache.org.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
