Add some security options for the GUI to provide separation of duties and address insecure login #102
Comments
|
New configuration option |
phax
added a commit
that referenced
this issue
May 28, 2019
# Conflicts: # peppol-smp-server-webapp/src/main/java/com/helger/peppol/smpserver/ui/ajax/CAjax.java # peppol-smp-server-webapp/src/main/java/com/helger/peppol/smpserver/ui/pub/SMPRendererPublic.java
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
From a security perspective, provide a clean separation of duties between the public SMP API and the GUI by running them on different ports (or at least the option of running them on different ports). The public SMP API webapp/port should only serve GET requests for the SMP API. No writeable API's and no way to login to the GUI.
I know that there are ways to use redirects for /secure to another URL that could be configured for HTTPS (though not the login page that runs in /public), but from a security perspective, I would prefer as much separation as possible between the external facing read-only elements and the internal facing read-write elements.
The text was updated successfully, but these errors were encountered: