Hi Gary, Just for the record, REST extensions are not Roxy specific, but a general feature of the MarkLogic REST-api. How secure or insecure the implementation of a single REST extension is depends totally on the implementation. Mike and David already referred to using things like xdmp:eval, and there is probably a lot more to say to that I think. But there are also relatively harmless REST extensions, that can provide simple things like spell suggestions for a given search term, and don’t do updates at all. Using REST extensions doesn’t automatically imply risk..
With regard to SSL, if your REST api is configured to run behind SSL, then the REST extension will be running there as well. In that sense securing the REST extension is not different than securing the generic part of the REST api. And it all starts with thinking carefully on how you setup your app-specific users, and roles, and have those inherit other roles or give them privileges. Amps can be very useful too, to give a particular function the power to do xdmp:eval, without giving the user itself that power.. My 2 cents.. Kind regards, Geert From: Gary Russo <[email protected]<mailto:[email protected]>> Reply-To: MarkLogic Developer Discussion <[email protected]<mailto:[email protected]>> Date: Tuesday, February 24, 2015 at 11:43 PM To: "[email protected]<mailto:[email protected]>" <[email protected]<mailto:[email protected]>> Subject: [MarkLogic Dev General] What are the best practices for securing a Public ROXY REST Extension? What are the best practices for securing a ROXY REST Extension that is on the public internet? The REST API will use SSL encryption. Are there any rules of thumb to prevent Query, Schema, and JavaScript Injection attacks? Mike has this good post about using external variables. => http://blakeley.com/blogofile/2012/09/28/external-variables-(code-review,-part-ii)/ Other NoSQL products, such as Redis, require the ports to be firewalled with a loopback interface to restrict external access. => http://redis.io/topics/security#network-security Is there any value to using the Redis firewall approach? Gary Russo Enterprise NoSQL Developer http://garyrusso.wordpress.com<http://garyrusso.wordpress.com/>
_______________________________________________ General mailing list [email protected] http://developer.marklogic.com/mailman/listinfo/general
