Can hacker use search api endpoint to update document or delete index?

My company use free version of Elasticsearch software so no security on it. Our Elasticsearch server is running on internal network and internet user cannot access to it. We have a public app need to call Elasticsearch API to fetch some data. Therefore, I use api gateway/reverse proxy to expose one index's search api endpoint. (public)--> http://myelasticserver:9200/myindex/_search (internal)

So whenever somebody hit with POST body, the request will forward to the internal search api.

My concern is data integrity. data is public and I don't mind user view the whole data. But I don' t want user to update record or delete index through the search api endpoint http://myelasticserver:9200/myindex/_search. Technically, user can post anything to the search api endpoint.

can anybody confirm that the index search api endpoint is read only? Thanks!

The Security functionality has been free for quite a number of years now, why are you not using it?

Need to configure privileges on a given user role. Configuring via Kibana: Kibana > Stack Management > Roles > Privileges.
Setting to be given for the user role is "read". As a result, methods such as PUT or POST cannot be used.

I don' t know that. Will try! Thanks for the response!

Thanks Devwmo!

I did another research. Index Block is the easiest way.

Moreover, if you want to check all the roles available, you can use this command:

GET /_security/role/

Public-accessed applications' users/roles should only have the 'read' privilege.

Index blocks prevent certain operations from all users. That is, if read-only block is set, no one can write to the index including your admin users. Depending on your use case, this may or may not be an issue.

can anybody confirm that the index search api endpoint is read only?

It should be read only. It will be a bug if it can be used for any mutation.

For your use case, I think turning on security and enabling anonymous access with read only privilege are probably your best bet. It means you get full security protections and extrenal users can only ever read data (via anonymous access).

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.