I am new to webapps, so I apologize if this question seems naive, just looking to learn. I'm looking into using elasticsearch for autocomplete. All of the examples that I've seen show some form of jquery/ajax/angularjs that exposes the elasticsearch url to the user which seems like poor practice. What is the proper way of safeguarding the servers url, while still allowing ajax to make a call (even if indirectly) to it?
1
-
1Nothing is secure with js, all is visible, you can only try to make it harder to decode. Best way is calling your own server with ajax, which calls the elasticSearch url and returns the result. That is if you just don´t want elasticsearch url to be show, only your server url will bejuvian– juvian2014-11-05 21:42:11 +00:00Commented Nov 5, 2014 at 21:42
Add a comment
|
1 Answer
In the AJAX world, there is no way to secure the server URL. And that's ok; security by obscurity is not a good practice anyway. What you need to do is make sure your server can't be hacked through that URL. A couple of tips:
Disable scripting in ES. The newer versions of ES have it disabled by default out of the box.
Don't expose your bare ES server to the world. By default ES is available on port 9200, which means anyone can run any query (or do anything else they want). Make sure that port is blocked from external access. As one commenter pointed out, the Javascript should be calling your server, which should in turn be calling the ES server as localhost (again, be sure localhost:9200 is blocked from external access) or behind a firewall.
Clean up all input queries before passing them to ES. ES is less vulnerable than SQL to "injection" attacks, but it is still critical to filter out any nasty characters such as \ { " : and so forth, to limit string lengths to something reasonable, etc.
Good luck!
