#dominoforever | Product Ideas Portal

 

Welcome to the #dominoforever Product Ideas Forum! The place where you can submit product ideas and enhancement request. We encourage you to participate by voting on, commenting on, and creating new ideas. All new ideas will be evaluated by HCL Product Management & Engineering teams, and the next steps will be communicated. While not all submitted ideas will be executed upon, community feedback will play a key role in influencing which ideas are and when they will be implemented.

For more information and upcoming events around #dominoforever, please visit our Destination Domino Page

Should hide https://hostname/api/core/ for security side

From traveler R9.0.1.21, end user can anonymous access below URLhttps://hostname/api/core/

And get below info:

links 

rel "pwstats"
href "/api/core/pwstats"

rel "nonce"
href "/api/core/nonce"

rel "stats"
href "/api/core/stats"
 
Customer think it is not safe for their traveler server, they wish hide these info.
 
From traveler R11, end user access the same URL, can see the pop-up info:
Do you want to open or same core.json from hostname?
If click the save button, then the core.json file can save to the local, open it, the info as below:
{
  "links": [
        {
      "rel":"pwstats",
      "href":"\/api\/core\/pwstats"
    },
        {
      "rel":"imasettings",
      "href":"\/api\/core\/imasettings"
    },
        {
      "rel":"nonce",
      "href":"\/api\/core\/nonce"
    },
        {
      "rel":"stats",
      "href":"\/api\/core\/stats"
    }
  ]
}
  • Avatar32.5fb70cce7410889e661286fd7f1897de Guest
  • Jan 3 2020
  • Unlikely to implement
  • Attach files
  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    8 Jan 09:01pm

    I mostly disagree. The world is moving towards API first.  They also report per user which makes sense from an API point of view. Although having users be able to get to this could create noise, I don't see how this is a security issue.

     

    Our Traveler server and several client ones show the session authentication dialog and do not allow anonymous access. You've allowed anonymous access to that URL. You should block anonymous. See Thomas' comment, as well.

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    5 Jan 11:11am

    What is unsave to get those statistics as a user, when you are authenticated?
    Those statistics are per user statistics.  Per user statistics can only be queried if you have an authenticated user in the first place ;-)

    So I would not see how this should be "unsave".


    Also in general a best practice for any server not providing public services, you should disable anonymous access for HTTP on server level.

     

    My traveler server does only allow HTTPS and only authenticated user access.

     

    [ Daniel Nashed  / http://blog.nashcom.de)

  • Admin
    Thomas Hampel commented
    3 Jan 02:24pm

    By default, the URL's are access protected.
    Did you enable Domino Access Services on this machine?

  • Avatar40.8f183f721a2c86cd98fddbbe6dc46ec9
    Guest commented
    3 Jan 07:11am

    And below URL also can be accessed by anonymous 

    https://hostname/api/

     

    End users can get below info:

    services  
    0  
    name "Calendar"
    enabled false
    version "9.0.1.v10_00"
    href "/api/calendar"
    1  
    name "FreeBusy"
    enabled false
    version "9.0.1.v10_00"
    href "/api/freebusy"
    2  
    name "Core"
    enabled true
    version "9.0.1.v10_00"
    href "/api/core"
    3  
    name "Data"
    enabled false
    version "9.0.1.v10_00"
    href "/api/data"
    4  
    name "Mail"
    enabled false
    version "9.0.1.v10_00"
    href "/api/mail"
    5  
    name "TravelerAdmin"
    enabled true
    version "9.0.1.21"
    href "/api/traveler"