REST API security considerations

Configuration of the REST API exposed by gui.sh must be done with security considerations in mind. This document aims to serve as a check list for related information scattered in the documentation and online helps.

Feature flags

Feature flags are experimental developments; they might change in the future.

See gui.sh option -disable <FEATURE> and the command line help for details. The following feature flags might have impact on the security of a server deployment. Consider disabling them:

• RAWFILES_LIST - Lising of raw file resources. This allows an API client to access custom content even if the resource name is obfuscated (name is a long enough string composed of random characters).

• RAWFILES_MODIFY - Allows all API clients to upload arbitrary (even malicious) data/code which is exposed by the server. Also any API client would be capable of modifying or erasing any of the rawfile content specified by command line options.

• ASYNC_CALL_SEQUENTIAL_ID_GENERATION - Generate sequential IDs for asynchronous calls like rest/descriptors/{desc}/find-most-similars-async. Sequential ID values are easy to guess making call details (including queries) leak easily possible.

• ASYNC_CALL_ID_LIST - Listing asynchronous call IDs in endpoint rest/experimental-async-calls/ids Makes asynchronous call details (including queries) easily known to all REST API clients.

See the APIdoc of the underlying Java enum type com.chemaxon.overlap.wui.context.features.ServerFeature.

SSL (https) configuration

See gui.sh options -sslkeystore <KEYSTORE>, -sslkeystorepass <PASS> and document REST API / Web UI for similarity searches for details.

Additional static content

All content in the directory pointed by option -additionalresourcedir <DIR> or option -webapp <LOCATION> are exposed through the REST API. When these options used make sure all of the contents are intended to be exposed.

Access log

See gui.sh option -log <SPEC> on how to write access log from the server. Consider enabling log file writing.

Profiling and execution statistics

Many of the command line tools support options -prof <FILE> and -stat <FILE> to collect profiling and execution statistics information. These data can be exposed by the server (using option -profres <FILE>) for further visualization.

Document Profiling and execution statistics describes how to sanitize these collected files when exposed through the server.

Asynchronous task visibility

Asynchronous tasks (see Asynchronous search tasks) are visible to every REST API clients without authentication/authorization. This must be taken into consideration when using the asynchronous endpoints in a production deployment.