I think should not expose dashboard to external internet ,if we must expose, we should add a complete authentication for APISIX, such as "jwt+RBAC", key-auth is a weak security.
Zhiyuan Ju <[email protected]> 于2020年7月25日周六 上午9:02写道: > 🤔 > > Because there has one Manager API between Admin API and Dashboard, and the > API is fixed stored in Manager API currently, so not sure how to use manual > TLS to protect the dashboard usage. > > Ming Wen <[email protected]>于2020年7月25日 周六上午8:37写道: > > > For the production environment, it is recommended to use mTLS to > > communicate between the admin API and the dashboard. > > > > Zhiyuan Ju <[email protected]> 于 2020年7月23日周四 上午11:27写道: > > > > > Hi, > > > > > > One user just reminded me that the API Key is stored in manager-api > > > directly, we may store it in frontend or have an OAuth policy. > > > > > > So how could we protect our dashboard from being accessed by attackers? > > > > > > Best regards! > > > -- > > > 来自 琚致远 > > > > > > -- > 来自 琚致远 >
