While invoking an endpoint which is not configured in APIG and supplying an Authorization header (JWT token), the APIG responds with
{
"message": "Authorization header requires 'Credential' parameter. Authorization header requires 'Signature' parameter. Authorization header requires 'SignedHeaders' parameter. Authorization header requires existence of either a 'X-Amz-Date' or a 'Date' header. Authorization=eyJraWQiOiJQK0"
}
Any reasons for validating auth before endpoint path. I believe invoking any non-exisiting endpoint should result in a 404, but thats not the case apparently. Even if it validates the auth token first it should not respond with this because I am passing it a perfectly valid and active JWT token.
Any ideas on why this is configured this way?
AWS API Gateway responds with a 403 error even for non-existent resources, as stated here and here.
I suspect this is for security reasons: providing a 404 response would implicitly reveal the API structure.
Ideally, this prevents an attacker from brute-forcing the API structure by searching for paths that return a 404 instead of a 403.