Hi Everyone
I have one small doubt regarding sequrity.i am working on one application.in AI mentor I am getting one error that exposed rest API are not sequred and it is onpremises environment.
My question is
1)it is on premises and we have ssl certificate and ssl I enable for the every API so if ssl is on then nobody can tamper any data.in this scenario do we have to implement authentication or with out authentication it is sequred because of ssl.
If this correct then can I mention false positive
If it is not correct then what should we do?my opinion is we should implement authentication and ssl both.
Correct me if I am wrong.need your suggestion.
Yes I agree with you, those are different things and you should always have SSL :)
I do not know the requirements of your API, assuming you are building a typical API I would add authentication to it. But of course as we know there are public APIs that anyone can access, if you are building one of those then just mark as a false positive in AI Mentor.
Arkyadeep,
The warning is not about REST APIs that have been built by you/the client (Though, those should be secured as well!)
The warning is in reference to the automatic creation of REST API endpoints by ANY usage of a server action in ANY client action.
SSL has no bearing on these endpoints, their creation, or any authentication...
Please see the linked OutSystems documentation that fully explains why and how these endpoints are created, and how to secure them.
Best,
RAD Manage
@Arkyadeep Bharadwaj
React does indeed create open REST calls any time a server action is exposed via a client action.This means, for example, if you use CreateOrUpdateUser in a client action, ANYONE on the internet can potentially find this open rest call and pass a user record to the REST, and if their role (such as Anonymous) matches the role required for that screen, modify any record. Or if the delete function is exposed, delete any record, or again if it is a getrecord(), they can pull any record by the ID.
It is imperative that you secure these open RESTs with CRUD operations on the server side anywhere you use server logic in the client actions.I have written a whitepaper about this very topic and you can get a copy at:https://radmanage.com/resources/2023/The%20Hidden%20Dangers%20of%20Open%20REST%20APIs%20in%20Reactive%20Web%20Apps.pdf
You can also find more on the Success pages at:https://success.outsystems.com/documentation/best_practices/security/reactive_web_security_best_practices/ Best,RAD Manage
we are directly calling server action in API and we are using SSL Valid Certificate.then authentication is required or not?
Regardless of using SSL or not, the REST API will be open to the world if you use it in a client action. You MUST use CRUD to secure any server actions that are used in client actions. This includes built-in actions.
Best,RAD Manage
In rest API method we are using server action only.no client action.server action from CS module but the problem is server action there is not logic for role or permission check.i think this is not correct.In server action we have to add role or Permission check logic.
"This includes built-in actions. "
not clear.
Hi @Arkyadeep Bharadwaj
If you are exposing a REST API with no authentication, then anyone who knows the endpoint will be able to call it. Please see the documentation on how to add basic auth to it, this should fix your AI Mentor warning :)
https://success.outsystems.com/documentation/11/extensibility_and_integration/rest/expose_rest_apis/add_basic_authentication_to_an_exposed_rest_api/
Regards,
Rúben
ok but my doubt is different.i know we can add authentication either basic or Custom.i got one suggestion from client that if we are using SSL in our ON Premises server then not require to use authentication.but i think as per my Knowledge both are different.if we have SSL in our on Prem then also we should add Authentication.correct me if i am wrong.