Why did OutSystems 10 make some internal interfaces non-internal use only


We recently upgraded our to OutSystems 10. We had a test running that checked that only whitelisted soap and rest interfaces are internal use only. The reason for doing such monitoring was to check that we do not accidentally expose our own interface that are intended for internal use only. However, somewhat by accident, the test also checked interfaces internal to Outsystems. After the update, the following interfaces were flagged as non-internal use only:

  1. lifetimeapi.v1
  2. LifeTimeServices.DeploymentManagementService
  3. NativeAppBuilder.Download
  4. OutSystemsNowService.OutSystemsExpected
  5. SecurityUtils.Report

I would like to know why are there services open for external access and can we somehow make them internal use only again?

Rank: #5867

Hi Otto,

Those 5 entry points are public by design. They are public because they are consumed by applications that usually do not live in the internal network, thus enhancing the overall experience of using the platform and increasing your retrieved value.

Endpoints 1 and 2 belong to the OutSystems public API. This API can be used by other applications to integrate and extend the Application Lifecycle Management functionality provided by the platform.

Endpoints 3 and 4 are used by mobile devices, to download application packages and to provide access to your applications when using OutSystems Now.

Endpoint 5 is used by applications developed with OutSystems to report Content Security Policy violations, when that configuration is enabled.

It is not possible to change these endpoints so that they become internal only.

Hope this helps.

Best regards,

Ricardo Marques

Rank: #37389

Hello Ricardo,

Thank you for the information. This is very useful information. Whitelisting these in our monitor should do the trick. Outsystems support for Content Security Policy is a very welcome addition, we will certainly look into enabling that.


Paulo Ribeiro
Rank: #0

Otto, we recently published documentation on how to activate Content Security Policy. You may want to check it out.