Since ES provides a REST api, with all the powerful frontend frameworks out there, it will be tempting to make ES REST calls directly from the frontend.
Would it be recommended to make such client-side ES calls especially from a public facing site (i.e. a site which doesn't require authentication). What would be suggestions to make such a setup secure which wouldn't involve a login screen?
Welcome!
Here is what says the documentation about it (emphasis is mine):
Do not expose Elasticsearch to the Internet, instead have an application make requests on behalf of the Internet. Do not entertain the thought of having an application "sanitize" requests to Elasticsearch. Understand that it is possible for a sufficiently determined malicious user to write searches that overwhelm the Elasticsearch cluster and bring it down. For example:
Good:
- Users type text into a search box and the text is sent directly to a Match, Match phrase, Simple query string, or any of the Suggesters.
- Running a script with any of the above queries that was written as part of the application development process.
- Running a script with
paramsprovided by users.- User actions makes documents with a fixed structure.
Bad:
- Users can write arbitrary scripts, queries,
_searchrequests.- User actions make documents with structure defined by users.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.