Is it safe to use Elastic App Search directly from my Android and iOS app?

Hi all,

I am new in Elastic product. I am actually an Android and iOS developer. so I have limited knowledge about backend.

I have tried to read app search authentication documentation in here , it seems I can directly make a query directly from my Android/iOS app, by using this

curl -X GET 'https://[HOST_IDENTIFIER][ENGINE]/documents'
-H 'Content-Type: application/json'
-H 'Authorization: Bearer [API_KEY]' \

If use that endpoint and use public search key for the [API_KEY], is it safe to use Elastic App Search just like that ?

search key is read-only access, so malicious users can't delete my documents, but if the endpoint is exposed in my mobile app like that, I am worried that will be a malicious user that can make millions of requests in short period of time and it will make my elastic app search down.

can I prevent this ?

Hi @susi_pogba

Welcome to the community.

Others can chime in but in general it's not a best practice to allow direct authentication from a client or mobile app directly to your data store / data API whether that data store is Elasticsearch or Oracle, mySQL or Mongodb etc .

Typically you would have an API gateway or a microservice layer that handles your end user's authentication and authorization and session management then that microservice or another service like a data access service would actually authenticate and make the calls to the data store so that data store is isolated from the end user / client app. This is how so how you isolate SQL /query injection and other security concerns.

Hope that helps s bit.

Hey @susi_pogba,

Just wanted to chime in quick. Generally speaking, we consider it expected and acceptable to make API calls to the Elastic App Search API directly from a client or browser. As you said, the public search key is read-only and available with this use case in mind.

To better protect against a denial of service attack as you describe, your best bet would be to handle that in some sort of API gateway or proxy like @stephenb describes.


1 Like

Thank you very much @JasonStoltz and @stephenb . is there any rate limiter per IP per hour for search key or something like that in elastic search ?

Elastic App Search does not have per IP rate limiting.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.