Is a self-MitM HTTPS proxy that injects API keys useful?

Question

In the course of working on a side project, I've built a small HTTPS forward (i.e. egress) proxy to sit between my application servers and all external HTTP APIs. My proxy injects API keys into requests so that my application doesn't have to think about that.My question is whether this is useful to anyone else or not? There are perhaps other useful things you could do with it, like add some observability features?Thanks in advance for any feedback.

tony-allan · Accepted Answer

MITM is aways wrong and dangerous!I would create a separate protected API that has an additional header such as: Forward-To-API: database-prod And have that service lookup the URL and credentials in a secure database and create it's own request to the external service. Even better it could also be your audit log.The Forward-To-API header would be stripped and the rest of the query would be passed through.-- This is so obvious that it must already exist!

jonahbenton · Answer

Typical use cases for tools like this are:
- comply with egress security policies more generally
- comply with rate limits and meters for costly APIs
- monitor outgoing request payloads so nothing sensitive goes over the wire
- caching and deduping large responses
- act as the starting point for adding crawling type workloads
These tend to be pretty limited and special case, and there are lots of other ways of solving each, but sometimes an egress proxy is the thing.