How does the gateway handle calls to unmapped routes?

Since April 28, 2025, it is possible to configure your API so that the Gateway accepts only requests that exactly match the routes registered in the Manager. In other words, if a specific route is not defined, requests made to it will be blocked, and the Gateway will return a 404 error (route not found).

Previously, the Gateway accepted additional paths after the mapped route. For example, even if the configured route was GET /checking-account, a call to /checking-account/balance would also be forwarded to the backend with the /balance segment treated as an extraPath.

How can I enable blocking of unmapped routes in my APIs?

For new customers, this configuration is already enabled by default. Therefore, for these customers, no action is required.

For customers who were already using the API Manager in previous versions (such as versions of API Platform 4.x, for example), this configuration is not enabled by default, unless the customer had previously requested this change. In this case, to enable this feature, it is necessary to contact our support team.

The configuration will then be applied via:

gateway.matching.exact-path = true

Once the configuration is enabled, any request that does not have an explicitly mapped route in the Manager will automatically be rejected with a 404 error.

Why is this feature important?

This new behavior increases the security and predictability of routing, being especially useful in scenarios with:

  • Compliance requirements;

  • Environments with multiple applications exposed by a single backend;

  • Risks of exposing administrative or private endpoints;

  • The need for stricter control over valid API paths.

Does this mean there was a vulnerability?

No. The default behavior is similar to other market gateways, such as AWS API Gateway’s {proxy+}. It was designed for scenarios with dynamic routes. The new feature simply provides an additional level of control, aligned with security best practices.

Does this change affect my existing APIs?

No. The default behavior of your APIs remains the same. The new configuration will only be applied upon request and does not impact already configured routes.

Thanks for your feedback!
EDIT

Share your suggestions with us!
Click here and then [+ Submit idea]