REST API security considerations

Configuration of the REST API exposed by gui.sh must be done with security considerations in mind. This document aims to serve as a check list for related information scattered in the documentation and online helps.

Feature flags

Feature flags are experimental developments; they might change in the future.

See gui.sh option -disable <FEATURE> and the command line help for details. The following feature flags might have impact on the security of a server deployment. Consider disabling them:

See the APIdoc of the underlying Java enum type com.chemaxon.overlap.wui.context.features.ServerFeature.

SSL (https) configuration

See gui.sh options -sslkeystore <KEYSTORE>, -sslkeystorepass <PASS> and document REST API / Web UI for similarity searches for details.

Additional static content

All content in the directory pointed by option -additionalresourcedir <DIR> or option -webapp <LOCATION> are exposed through the REST API. When these options used make sure all of the contents are intended to be exposed.

Access log

See gui.sh option -log <SPEC> on how to write access log from the server. Consider enabling log file writing.

Profiling and execution statistics

Many of the command line tools support options -prof <FILE> and -stat <FILE> to collect profiling and execution statistics information. These data can be exposed by the server (using option -profres <FILE>) for further visualization.

Document Profiling and execution statistics describes how to sanitize these collected files when exposed through the server.

Asynchronous task visibility

Asynchronous tasks (see Asynchronous search tasks) are visible to every REST API clients without authentication/authorization. This must be taken into consideration when using the asynchronous endpoints in a production deployment.