02: The Gatekeeper (Authentication)

Bypassing security controls using the X-API-KEY identity header.

Secured Endpoints

Enterprise APIs protect sensitive data behind an Authentication Gateway. Unlike public endpoints, these require a specific credential in the request headers. If the key is missing or incorrect, the server will respond with a 401 Unauthorized error.

The VIP Pass Lab

Objective: Access the restricted Project Database at /api/projects. You must use the designated training key: sean-training-2025

1. Request Logic (JS) 
Waiting for input...
2. Outgoing Headers 
Waiting for input...
3. Gateway Response 
Waiting for user dispatch...

L3 Troubleshooting: "Failed to Fetch"

If the console returns a generic fetch error, you are likely hitting a CORS Pre-flight Block. This happens because the browser sends a hidden OPTIONS request to verify if X-API-KEY is an authorized header.

> Press F12 to open Developer Tools.
> Click the Console tab.
> Look for: "Access to fetch at... has been blocked by CORS policy."

Governance Fix: The Principal Engineer must ensure the Nginx Proxy Manager allows X-API-KEY in the Access-Control-Allow-Headers configuration.

Postman Challenge

Replicate the security bypass using the Postman client to see how it ignores Browser CORS policies.

  1. Set Method to GET
  2. URL: https://ohagan.au/api/projects
  3. Navigate to the Headers tab.
  4. Key: X-API-KEY | Value: sean-training-2025
  5. Click Send and observe the 200 OK response.
Security Log Expectation 
HTTP/1.1 200 OK
Status: Authorized
Origin: PostmanRuntime/7.x
Payload: [Array of Projects]