AWS HTTP API bypasses Lambda authorizer with trailing slash
Path normalization mismatch between HTTP API's route matching and authorizer layers allows unauthenticated access when request paths include trailing slashes; authorizer context drops during integration mapping.
June 5, 2026
Summary
Teams relying on Lambda authorizers as the sole authentication gate on HTTP API can leak sensitive data or enable unauthorized state changes without code changes. Requires immediate audit of path handling and backend validation logic.
Why it matters
Teams relying on Lambda authorizers as the sole authentication gate on HTTP API can leak sensitive data or enable unauthorized state changes without code changes. Requires immediate audit of path handling and backend validation logic.
Implementation verdict
Immediate action: test protected routes with and without trailing slashes; add independent userId validation in every Lambda function rather than trusting authorizer context alone. Consider switching to REST API for security-sensitive endpoints despite cost/performance trade-off. HTTP API development was quietly put on hold 4-5 years ago, reducing likelihood of platform-level fixes.
Sources
- 1.GET /v1/accounts returned 401 Unauthorized. GET /v1/accounts/ returned 200 OK with full account data
- 2.HTTP API does greedy path matching by default
- 3.The authorizer sets context.authorizer.userId on the authenticated request
- 4.When the trailing-slash path hit the integration, userId arrived as undefined
- 5.It is the newer API but development was quietly put on hold 4-5 years ago
Dev Signal
Get briefs like this in your inbox — free, 3x a week.
100+ sources compressed into one 4-minute read. Ranked, cited, implementation-ready.