I am new in Elastic product. I am actually an Android and iOS developer. so I have limited knowledge about backend.
I have tried to read app search authentication documentation in here , it seems I can directly make a query directly from my Android/iOS app, by using this
If use that endpoint and use public search key for the [API_KEY], is it safe to use Elastic App Search just like that ?
search key is read-only access, so malicious users can't delete my documents, but if the endpoint is exposed in my mobile app like that, I am worried that will be a malicious user that can make millions of requests in short period of time and it will make my elastic app search down.
Others can chime in but in general it's not a best practice to allow direct authentication from a client or mobile app directly to your data store / data API whether that data store is Elasticsearch or Oracle, mySQL or Mongodb etc .
Typically you would have an API gateway or a microservice layer that handles your end user's authentication and authorization and session management then that microservice or another service like a data access service would actually authenticate and make the calls to the data store so that data store is isolated from the end user / client app. This is how so how you isolate SQL /query injection and other security concerns.
Just wanted to chime in quick. Generally speaking, we consider it expected and acceptable to make API calls to the Elastic App Search API directly from a client or browser. As you said, the public search key is read-only and available with this use case in mind.
To better protect against a denial of service attack as you describe, your best bet would be to handle that in some sort of API gateway or proxy like @stephenb describes.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.