Route Priority Misconfiguration Hijacking

warning

configurationUpdated Feb 21, 2023

Overly broad route regex patterns (like catching any path starting with 'p') can hijack requests intended for other routes. Kong processes routes in priority order, so catch-all patterns must be carefully ordered to avoid stealing traffic.

Sources

Debugging Kong Requests: 7 Kong Gateway Troubleshooting Tipskonghq.com

Technologies:

Kong GatewaySymptoms of this issue are visible in Kong Gateway metrics and logs

kong.route.request.count

kong.route.match.distribution

How to detect:

Use Kong-Debug: 1 header to inspect which route and service handled a request. If requests unexpectedly match wrong routes, or if high-priority routes never receive traffic, check route regex patterns and priority ordering. Monitor route match distribution for unexpected imbalances.

Recommended action:

Review route path patterns for overlapping regex. Use Kong Manager or API to list routes sorted by priority. Ensure specific routes have higher priority than catch-all patterns. Test with Kong-Debug header to verify routing behavior matches intent. Avoid broad patterns like /p* in production without explicit priority management.