Still should be a network security concern, ie, setup a secure vpn, or allow limited access to a range of IP's through your firewall. The java version of the SDK at least, has a -bindAddress option. Binding to 127.0.0.1 will mean the server will only listen for requests from your machine. (It set itself up like this by default for me)
Anyway, if you run any kind of developer sdk server and allow access to the outside world you are asking for trouble, since they are never written with the intention of being a secure production server. On Wed, Mar 14, 2012 at 9:48 AM, Kaan Soral <[email protected]> wrote: > Why? - because sometimes you have to work with external systems and they > have to work with you - even on the development level > > > On Wednesday, March 14, 2012 10:42:59 AM UTC+2, Simon Knott wrote: >> >> Why would your SDK be available to the outside world? It's a development >> tool, no different to any development environments - lock it down via the >> network infrastructure, as you would any other development environment. If >> you have production data in your dev environment and it contains sensitive >> data, then take the normal steps to sanitise it. >> >> On Tuesday, 13 March 2012 20:50:01 UTC, Kaan Soral wrote: >>> >>> If the SDK is accessible to the outer world, it poses a HUGE security >>> risk >>> >>> One can simply write a script for "Interactive >>> Console<http://localhost/_ah/admin/interactive>" >>> and steal all your code/data >>> >>> To prevent this - one may restrict access to Development Console and >>> permit only 127.0.0.1, this can be easily done by modifying the Handlers of >>> the Development Console >>> >>> Can you guys think of any other security holes? >>> >>> I've been meaning to ask this for a long time, but at the same time I >>> didn't want to attract anyone to exploit these risks - but here it is anyway >>> >> -- > You received this message because you are subscribed to the Google Groups > "Google App Engine" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/google-appengine/-/kW20c_wtRsMJ. > > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/google-appengine?hl=en. > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/google-appengine?hl=en.
