Hi, You mean the admin REST API right ? Not the rest/http transport connector ?
Regards JB > Le 24 mars 2020 à 17:46, Colm O hEigeartaigh <[email protected]> a écrit : > > Hi all, > > I wanted to start a discussion on whether it might be a good idea to > disable the REST API for the AMQ 5.16.0 distribution. > > It makes me a bit uneasy that this is enabled by default. It is secured > using the same basic auth approach as the web console. The problem here is > that the API (correctly) lacks XSRF protection. However if the admin user > browsed to /api and the browser then saves the creds, then it would be > trivial to implement a XSRF style attack on the API. Instead, it's better > to secure a REST API with a token. > > As it's a feature that's probably not widely used, it would be better to > disable it by default IMO. > > Thoughts? > > Colm.
