Hi JB,
You mean the admin REST API right ? Not the rest/http transport connector ? > Yes, what we ship in "webapps/api". Colm. > > Regards > JB > > > Le 24 mars 2020 à 17:46, Colm O hEigeartaigh <[email protected]> a > écrit : > > > > Hi all, > > > > I wanted to start a discussion on whether it might be a good idea to > > disable the REST API for the AMQ 5.16.0 distribution. > > > > It makes me a bit uneasy that this is enabled by default. It is secured > > using the same basic auth approach as the web console. The problem here > is > > that the API (correctly) lacks XSRF protection. However if the admin user > > browsed to /api and the browser then saves the creds, then it would be > > trivial to implement a XSRF style attack on the API. Instead, it's better > > to secure a REST API with a token. > > > > As it's a feature that's probably not widely used, it would be better to > > disable it by default IMO. > > > > Thoughts? > > > > Colm. > >
