X-Api-Key

Description

General

The x-api-key detector aims at catching any secret passed in an x-api-key or similar header.

Specifications

This detector looks for values that are assigned to an x-api-key or similar (such as X-ApiKey) header or variable. The matched string must be sensitive, therefore common values such as abcde or test are banned (see banlist hereunder).

Finally, the matched value must be a high entropy string, that is to say it must:

• Follow this regular expression: [a-zA-Z0-9_.+/~$-][a-zA-Z0-9_.+/~$=!%:-]{10,1022}[a-zA-Z0-9_.+/=~$!%-]
• Have a Shannon entropy of at least 3
• Pass the post validation steps (see hereunder)

Revoke the secret

This detector catches generic secrets, hence GitGuardian cannot infer the concerned service. To properly revoke the secret :

1. Understand what service is impacted.
2. Refer to the corresponding documentation to know how to revoke and rotate the secret.

Examples

Examples that WILL be caught

- text: |
    x-api-key = hj65_klhz/trlupok76
  apikey: hj65_klhz/trlupok76

- text: |
    headers("x-api-key", "d1Hb1fb497XGT75989e")
  apikey: d1Hb1fb497XGT75989e

- text: |
    X-ApiKey = jp1RP1c5WNtbjtcOe3IvXWKD
  apikey: jp1RP1c5WNtbjtcOe3IvXWKD

Examples that WILL NOT be caught

• The string is too short :

- text: |
    x-api-key = hj65_kl

• The entropy of the string is not high enough

- text: |
    x-api-key = xob1xob1xob1xob1xob1xob1xob1

• The high entropy string contains an excluded pattern (see banlist hereunder)

- text: |
    x-api-key = test_hj65_klhz/trlupok76

Details for X-Api-Key

• High Recall: False

• Validity Check: False

• Minimum Number of Matches: 1

• Occurrences found for one million commits: 144

• Prefixed: False

• PreValidators:
  Here is a list of the validation steps the document must pass before being analyzed.

- type: FilenameBanlistPreValidator
  include_default_banlist_extensions: true
  ban_markup: true
  banlist_filenames:
    - hash
    - list/k\.txt$
    - list/plex\.txt$
    - \.csproj$
    - tg/mtproto\.json
    - \/distinfo$
- type: ContentWhitelistPreValidator
  patterns:
    - x[_-]?api[_-]?key

• PostValidators:
  Here is a list of the validation steps the matched string must pass after being caught.

post_validators:
  - type: MinimumDigitsPostValidator
    digits: 1
  - type: EntropyPostValidator
    entropy: 3
  - type: PerplexityPostValidator
    perplexity: 20
  - type: CommonHighEntropyBanlistPostValidator
  - type: DictFilterPostValidator
  - type: ValueBanlistPostValidator
    patterns:
      - '12345'
      - '4321'
      - abcd
      - test
      - \.get
      - get[_.-]
      - fake
      - example
      # Unix paths
      - ^~/
      - (?-i:^\$HOME/)
      - http
      - api
      - token