Securing search endpoint

We have a self-hosted Enterprise Search instance with sensitive search data in it. A permanent public search API key doesn't meet our security standards.

What is the best way to ensure that only authenticated users can access the search endpoint? Our users are authenticated through AWS Cognito.

Thanks a lot in advance.

If a public search key does not meet your standards, then I would recommend proxying the search endpoint through your own API endpoint, which would implement whatever security protocols you wish.

@JasonStoltz thanks, will look into doing that. However, I'm currently using the SearchUI to handle all search requests - do you know of an easy way to add extra headers into the query - for the authentication token?

Sure. The App Search API connector is configured to pass through any additional options to the underlying API client: search-ui/packages/search-ui-app-search-connector at master · elastic/search-ui · GitHub. The underlying api client supports an additionalHeaders option, so you can use that: GitHub - elastic/app-search-javascript: Elastic App Search Official JavaScript Client.

Worked like a charm, thank you!

1 Like