🚨 CVE-2026-39998: Luka w Apache APISIX pozwala na fałszowanie tożsamości
Wykryto lukę w bramce API Apache APISIX z oceną CVSS 8.8. Błąd w wersjach do 3.16.0 może pozwolić na ominięcie uwierzytelniania poprzez manipulację nagłówkami. Zalecana jest natychmiastowa aktualizacja.
→ https://cyberowi.pl/cve-2026-39998-luka-w-apache-apisix-pozwala-na-faszowanie/
🚨 Krytyczna luka w Apache APISIX (CVE-2026-44087) pozwala ominąć logowanie
Luka z oceną 9.1 w skali CVSS w popularnym API gateway Apache APISIX umożliwia fałszowanie tożsamości. Dotyczy to wersji od 2.3 do 3.16.0. Rekomendujemy pilną aktualizację.
→ https://cyberowi.pl/krytyczna-luka-w-apache-apisix-cve-2026-44087-pozwala/
#DRY is an important principle in software development. This post will show you how to apply it to #ApacheAPISIX configuration.
DRY is an important principle in software development. This post will show you how to apply it to Apache APISIX configuration. The DRY principle 'Don’t repeat yourself' (DRY) is a principle of software development aimed at reducing repetition of information which is likely to change, replacing it with abstractions that are less likely to change, or using data normalization which avoids redundancy in the first place. — https://en.wikipedia.org/wiki/Don%27t_repeat_yourself[Wiki
When I introduce #ApacheAPISIX in my talks, I mention the massive number of existing plugins, and that each of them implements a specific feature. One of the key features of Apache APISIX is its flexibility. If a feature is missing, you can create your own #plugin, showcasing the platform’s adaptability to your specific needs. In this post, I aim to provide practical alternatives to writing a custom plugin, offering solutions you can quickly implement in your projects.
When I introduce Apache APISIX in my talks, I mention the massive number of existing plugins, and that each of them implements a specific feature. One of the key features of Apache APISIX is its flexibility. If a feature is missing, you can create your own plugin in Lua or a language compiled into Wasm, showcasing the platform’s adaptability to your specific needs. In this post, I aim to provide practical alternatives to writing a custom plugin, offering solutions you can quickly implement
Lots of service providers offer a #freetier of their service. The idea is to let you kick their service’s tires freely. If you need to go above the free tier at any point, you’ll likely stay on the service and pay. In this day and age, most services are online and accessible via an #API. Today, we will implement a free tier with #ApacheAPISIX.
Lots of service providers offer a free tier of their service. The idea is to let you kick their service’s tires freely. If you need to go above the free tier at any point, you’ll likely stay on the service and pay. In this day and age, most services are online and accessible via an API. Today, we will implement a free tier with Apache APISIX. A naive approach I implemented a free tier in my post Evolving your RESTful APIs, a step-by-step approach, albeit in a very naive way. I cop
#RateLimiting is an age-old #ReverseProxy feature focused on protecting against DDoS attacks. It treats all clients the same and is purely technical. In this day and age, most #API providers offer different subscription tiers; the higher the tier, the higher the rate limit, and the more you pay incidentally. It’s not technical anymore and requires to differentiate between clients.
In this post, I want to detail how to do it with #ApacheAPISIX.
In my talk Evolving your APIs, I mention that an API Gateways is a Reverse Proxy 'on steroids'. One key difference between the former and the latter is that the API Gateway is not unfriendly to business logic. The poster child is rate-limiting. Rate limiting is an age-old Reverse feature focused on protecting against DDoS attacks. It treats all clients the same and is purely technical. In this day and age, most API providers offer different subscription tiers; the higher the tier, the higher th
Today, I wrote on how to combine #PostgreSQL , #PostgREST and #ApacheAPISIX to expose a developer-friendly #RESTAPI.
I spoke at Swiss PgDay in Switzerland in late June. The talk was about how to create a no-code API with the famous PostgreSQL database, the related PostgREST, and Apache APISIX, of course. I already wrote about the idea in a previous post. However, I wanted to improve it, if only slightly. PostgREST offers a powerful SELECT mechanism. To list all entities with a column equal to a value, you need the following command: curl /products?id=eq.1 id is the columneq.1 corresponds to the WHERE cla
Last week, I described how to add a dynamic #watermark to your images on the JVM. Another alternative is to use ready-made components, namely #imgproxy and #ApacheAPISIX I already combined them to resize images on-the-fly.
Here's how to achieve it:
Last week, I described how to add a dynamic watermark to your images on the JVM. I didn’t find any library, so I had to develop the feature, or, more precisely, an embryo of a feature, by myself. Depending on your tech stack, you must search for an existing library or roll up your sleeves. For example, Rust offers such an out-of-the-box library. Worse, this approach might be impossible to implement if you don’t have access to the source image. Another alternative is to use ready-mad
Nearly at the end of my two weeks marathon across Europe. This week was @berlinbuzzwords, DevConf CZ, and JavaDay Lviv 🇺🇦
I came late at night and today, I’ll go to Lyon for Tech and Wine and conduct an #ApacheAPISIX workshop 🔨
Recently, I had to use #GitHubPages to publish my #ApacheAPISIX workshop. Travis is no longer free. #GitHubActions are a thing. I used the now nominal path and faced a few hurdles; here are my findings.
I moved my blog from WordPress to GitLab Pages in… 2016. I’m happy with the solution. However, I used GitHub Pages when I was teaching for both the courses and the exercises, e.g., Java EE. At the time, there was no GitHub Actions: I used Travis CI to build and deploy. Recently, I had to use GitHub Pages to publish my Apache APISIX workshop. Travis is no longer free. GitHub Actions are a thing. I used the now nominal path and faced a few hurdles; here are my findings. GitHu
cyberowy
Nicolas Fränkel 🇪🇺🇺🇦🇬🇪